topic stealth rule conflict mobile access rule in Firewall and Security Management

stealth rule conflict mobile access rule

Arturxr — Mon, 22 Aug 2022 08:18:50 GMT

Rule 1 conflict with Rule 2 for Services & Application https when installing policy

Rule 1 is stealth rule - SRC: Any, DST: GWs, Services: Any, Action:Drop

Rule 2 is under mobile access rule(layer) - SRC: IPs, DST: GW, Services: https, Action: Drop

tell me why the rules conflict and what needs to be changed in order for the policy to be established

Re: stealth rule conflict mobile access rule

G_W_Albrecht — Mon, 22 Aug 2022 10:58:17 GMT

I do not understand what you are trying to achieve - Rule 1 Any GWs Any Drop is the big brother of IPs GWs https Drop and will always shadow Rule 2 ! So just leave out Rule2...

Re: stealth rule conflict mobile access rule

Arturxr — Wed, 24 Aug 2022 06:52:27 GMT

I made a mistake with the description, in the second rule Accept.

According to Mobile Access R80.30 Administration Guide in Mobile Access and the Unified Access Policy - Best Practices for Rules:
Do not use a gateway as the Destination in a Mobile Access rule. The rules authorize a user's access to an internal resource. Use Any or the internal hosts of relevant applications in the Destination column.

We set the portal address in Destination (the portal address is the external virtual interface of the cluster), after that our traffic is dropped implied rules - dropped by multiportal infrastructure

Re: stealth rule conflict mobile access rule

G_W_Albrecht — Wed, 24 Aug 2022 08:24:59 GMT

Sorry, i can not understand you. You have two conflicting rules in your first post, both with Dest GW, and now you tell us: Do not use a gateway as the Destination in a Mobile Access rule.

Re: stealth rule conflict mobile access rule

the_rock — Wed, 24 Aug 2022 11:55:10 GMT

I know lots of people may disagree with what I will say, but I always found stealth rule in the policy not that useful. If you think about it, implicit clean up rule would block any unwanted traffic, but its true that at the end of the day stealth rule does serve the purpose of blocking communication to the firewall itself.

Anyway, back to your issue...Im also little confused like @G_W_Albrecht . Can you send a screenshot? I think it would help...happy to do remote if you like and help you out.

Re: stealth rule conflict mobile access rule

Arturxr — Tue, 06 Sep 2022 07:54:39 GMT

Re: stealth rule conflict mobile access rule

Arturxr — Tue, 06 Sep 2022 07:57:26 GMT

when trying to install a policy with rules 15, 16 enabled and rule 9 disabled, it fails.

Re: stealth rule conflict mobile access rule

G_W_Albrecht — Tue, 06 Sep 2022 08:04:26 GMT

I would suggest that you better ask TAC for a solution...

Re: stealth rule conflict mobile access rule

Arturxr — Tue, 06 Sep 2022 08:08:51 GMT

after we set the portal address to rule 16 instead of the gateway object in destination, our traffic began to be blocked by implied rules

Re: stealth rule conflict mobile access rule

the_rock — Tue, 06 Sep 2022 12:28:40 GMT

Can you send screenshot of how currently rules are set?

Andy

Re: stealth rule conflict mobile access rule

Arturxr — Thu, 08 Sep 2022 08:19:00 GMT

mobile access portal uses 443 port, gaia - 4434

Re: stealth rule conflict mobile access rule

Arturxr — Thu, 15 Sep 2022 08:39:15 GMT

We moved the Mobile Access rule above the Stealth rule, but now we have third-party users, when they receive an address from our pool, they lose their local network.
All traffic begins to wrap itself in the tunnel. Can you tell me where to set it up?

Re: stealth rule conflict mobile access rule

G_W_Albrecht — Thu, 15 Sep 2022 09:02:45 GMT

Why not contact TAC to get this resolved once and for all ?

Re: stealth rule conflict mobile access rule

the_rock — Thu, 15 Sep 2022 12:55:32 GMT

I agree 100% with @G_W_Albrecht . Just work with TAC and have this resolved.