topic Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has in Firewall and Security Management

Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has

SecurityNed — Wed, 28 Aug 2024 10:18:16 GMT

Hello Checkmates,

I have a question regarding the behavior of my internal firewall. Please see image below as reference:

Currently, anything below INTFW has internet access, but for some reason, INTFW doesn't. I have confirmed this when I checked my URL and App Control updates, and it shows a failed attempt. Logs show allowed via implied rule as seen in the screenshot below:

Running fwctl zdebug + drop | grep [INTFW IP] on EXTFW1 (current active cluster member) doesn't show any drops, so it confirmed that the allowed log entries are correct. It shouldn't be about the routes as my internal network is working as it should be, it's only INTFW that doesn't have internet.

I would like insight to this as it would allow me to then update my internal firewall to the latest JHF and would probably fix a lot of issues that I'm experience.

Thanks!

Re: Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has

Chris_Atkinson — Wed, 28 Aug 2024 10:30:38 GMT

What do the logs say, does it show the traffic is being NAT'd at the Ext firewall??

Re: Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has

SecurityNed — Wed, 28 Aug 2024 10:51:54 GMT

Here's an example of a log egress to 8.8.8.8 from the INTFW

I see no translation entries, but we do have a NAT policy, the group INTERNAL should have the 192.168.4.X IP address configured on the internal firewall.

Re: Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has

Chris_Atkinson — Wed, 28 Aug 2024 10:58:40 GMT

The source address shown in the log is different to the subnet you mention so it may not be hitting your current NAT rules.

Granted since it's not an RFC1918 it might be a moot point if the address is valid otherwise.

Re: Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has

SecurityNed — Wed, 28 Aug 2024 10:57:18 GMT

Would I still need NAT if the scenario is:

INTFW [20.20.0.4] <---> EXTFW1 [20.20.0.3]

That IP is the link that is directly connected to the EXTFW1, so I would assume I don't need to NAT it as its directly connected.

Re: Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has

Chris_Atkinson — Wed, 28 Aug 2024 11:00:51 GMT

If it's a public routeable address that is valid and belongs to your org then no...

Re: Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has

SecurityNed — Wed, 28 Aug 2024 11:05:30 GMT

Yes, that's why the behavior is unusual. To add, I can ping to my DMZ-residing servers without issue, it's that one hop going to the internet that is not working for some reason. So, for ping tests:

INTFW --> EXTFW1 Interface (20.20.0.3) = ok
INTFW --> DMZ IPs (172.16.X.X) = ok
INTFW --> Internet = log says its okay, but ping within the gateway fails

Re: Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has

Chris_Atkinson — Wed, 28 Aug 2024 12:00:07 GMT

I've sent you a DM to check something related here regarding your choice of IP addresses.

Re: Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has

the_rock — Wed, 28 Aug 2024 13:35:04 GMT

If you run ip r g 8.8.8.8 command, what does it show?

Andy

Re: Internal Firewall Has No Internet Connection, But Network Within Internal LAN Has

Chris_Atkinson — Wed, 28 Aug 2024 13:44:05 GMT

Most likely the issue is the source IP in this case.