topic Re: Data Center Object Enforcement in Azure in Cloud Firewall

Data Center Object Enforcement in Azure

Nicholas_Sherid — Sat, 06 Oct 2018 20:43:02 GMT

Hi forum!

My management server has been integrated with azure (I set up the data centre server).

I can read all the objects in Azure. (I'm running R80.10 gateway and mgt)

I have set up Identity Awareness too.

My gateways are not enforcing the rules I have created with datacentre objects!

Everything looks perfect on the management server, I can even see the IP addresses dynamically associated with the tags!!

I need some help figuring out why the gateways are not enforcing the rules.

I have looked all over for this - and I have a case raised, but TAC have gone a bit quiet!

Anyone help me with locating the documentation for this? I have looked everywhere.

When I do a "pep show user all" (not sure if this shows output on azure integration) i get nothing on the gateway - whcih makes sense.

Are there any logfiles? I have checked /var/log/messages - nothing!

Thanks!

Re: Data Center Object Enforcement in Azure

Ofir_Shikolski — Sun, 07 Oct 2018 18:17:11 GMT

I think: TAC will know better

How to debug issues related to Security Groups / Data Center objects not being enforced by vSEC Gateway

GW side:

"$FWDIR/log/azure_had.elg*" log files.
"$FWDIR/conf/azure-ha.json" log file.
"$FWDIR/log/cloud_proxy.elg" log file.

How to troubleshoot Updatable Objects in R80.20 (and higher)

Azure portal reports read and/or write limits, throttling API resources

Re: Data Center Object Enforcement in Azure

Nicholas_Sherid — Sun, 07 Oct 2018 21:17:38 GMT

Top response ofirsea040d26-f1f2-3b12-9fc6-5c89debaf56c! I was thinking about getting R80.20 and just blowing away my cirrent install.

Thanks again mate - much appreciated

Re: Data Center Object Enforcement in Azure

Nicholas_Sherid — Sun, 07 Oct 2018 21:20:11 GMT

I'll post up root cause and corrective action when I am done - share the wealth - I suspect it's something I have overlooked!!

Re: Data Center Object Enforcement in Azure

Nicholas_Sherid — Mon, 08 Oct 2018 17:10:29 GMT

configured datacentre object (azure intergration)
entered dynamically learned objects into fw policy
console told me to configure identity awareness
configured as terminal based, do AD later
no enforcement occuring - but updates being learned by console
Added a host_localhost (127.0.0.1) object
Went to cluster config > identity awareness > ticket Identity web api
Dropped host_localhost object into authorized client
BOOOM!

Dynamic enforcement enabled!!!!

So I missed out the bold bits HTH anyone who has the same issue as me

Re: Data Center Object Enforcement in Azure

Nicholas_Sherid — Mon, 08 Oct 2018 17:46:58 GMT

validate with pep show user all

Re: Data Center Object Enforcement in Azure

Carsten_R — Mon, 18 Feb 2019 13:38:08 GMT

Hello,

I have problems with that data center objetcs on an VMSS gateway in Azure.

I have enabled the Identity Awareness blade with the autoprov CLI feature. The VMSS gateway has an active Identity Awareness blade, the Remote Web API is checked, and one autogenerated host with IP 127.0.0.1 is added.

I have added the data center object for Azure, and everything is fine, I can seach all objects in my Azure inventory.

But when I would like to install the policy with one virtual machine from that Azure inventory, I receive an error.

If you have any good advise, because I'm normally familar with that data center objects for on-prem vCenter environments. In my opinion, it should the nearly "the same" for Azure objects...

Management and VMSS gateway is running on R80.20.

Best Regards,

Carsten

Re: Data Center Object Enforcement in Azure

Nicholas_Sherid — Mon, 18 Feb 2019 13:49:39 GMT

Hi Carsten,

Dont panic! All thats happened it is you must have combined regular objects, and objects learned from Azure in the same source field in the rule

Easiest thing I expect is to duplicate the rule, and in one rule leave the normal objects, and in the other rule put the objects in that are learned from azure

HTH

Re: Data Center Object Enforcement in Azure

Carsten_R — Tue, 19 Feb 2019 05:00:18 GMT

Upps, life can be so easy when you only read the error message 🙂

You're right Nicholas, that was the problem, it is working now - thanks a lot!

Re: Data Center Object Enforcement in Azure

Senaka — Fri, 08 Nov 2019 02:53:03 GMT

I would like to know if Azure Data Center objects only work with vSec gateways or does it also work with 15400 (r80.30) on-prem security gateways?

Re: Data Center Object Enforcement in Azure

Gil_Sudai — Fri, 08 Nov 2019 07:52:25 GMT

Data Center objects works also with on-prem GW.