topic Re: Problem in facing SIC Management to Branch office firewall in Firewall and Security Management

Problem in facing SIC Management to Branch office firewall

Akram_wasim — Fri, 02 Aug 2019 07:12:05 GMT

Hi All,

Currently i build my Home lab for CCSA R.76 .

When i try to add or link Management and Branch Firewall SIC is not establishing

Note : HQ F-W and Management SIC established working fine no problem with that,,.please help #CCSA .76

Can some one help me to resolve my problem

@cbtnuggets R76

Below are the topology :

Re: Problem in facing SIC Management to Branch office firewall

Norbert_Bohusch — Fri, 02 Aug 2019 12:23:35 GMT

I assume routes are ok.

I think you have not pushed policy to HQ-FW1 after creating object of Branch-FW2 with correct IP.
This is necessary for HQ-FW1 to create relevant implied rules to allow Mgmt/GW-communication!

Re: Problem in facing SIC Management to Branch office firewall

Akram_wasim — Fri, 02 Aug 2019 12:30:05 GMT

HI Norbort,

Thanks for reply,
I have one management , for the first gateway (HQFW) SIC is established.
In rule base table , I allow any source any destination is accept which mean from management to FW-2 need to form SIC but in my case ,SIC is not established ...Please help

Re: Problem in facing SIC Management to Branch office firewall

Norbert_Bohusch — Fri, 02 Aug 2019 12:32:13 GMT

Routes are ok?

Can you reach gw2 from mgmt using SSH for example?

What are you seeing in log?

Have you tried capturing packets on gw1 using tcpdump/fw monitor?

Re: Problem in facing SIC Management to Branch office firewall

Akram_wasim — Fri, 02 Aug 2019 12:35:14 GMT

I havent verified logs and but

From management to GW2 when i ping 192.168.1.111 its unreachable..

So which means there is problem with routes ? Correct me if i am wrong..

Re: Problem in facing SIC Management to Branch office firewall

Akram_wasim — Fri, 02 Aug 2019 12:38:11 GMT

from Management i added routes to 10.1.1.111

on GW 1 i added routes to 192.168.1.1 outside ,so i taught from management we can able to reach GW2 ..

whether i need to add routes from GW2 to Management, Is it necessary ?? Please reply

Re: Problem in facing SIC Management to Branch office firewall

Vladimir — Fri, 02 Aug 2019 12:42:28 GMT

Because this is the lab an you are trying to determine if your routing is OK, do the following:

In your SmartConsole go to Global Policy Properties and enable ICMP as well as "Log Implied Rules".

SSH into your branch gateway (or open an emulated console) and perform "fw unloadlocal".

Its default policy will be blocking ICMP.

Then verify that your routing is working and that you are getting ICMP responses where expected.

Configure Static NAT for the Management Server object to translate its internal IP into one of the available IPs in 192.168. network.

Cheers,

Vladimir

Re: Problem in facing SIC Management to Branch office firewall

Akram_wasim — Fri, 02 Aug 2019 13:07:50 GMT

OK Vladimir ,I will check and come back if there is any issue..

Thanks

Re: Problem in facing SIC Management to Branch office firewall

Akram_wasim — Fri, 02 Aug 2019 18:10:22 GMT

Vladimir,

Still facing same issue ,Unable to for SIC between Management to B-FW

Unable to ping Management

help..

Thanks

Re: Problem in facing SIC Management to Branch office firewall

Norbert_Bohusch — Fri, 02 Aug 2019 18:18:27 GMT

You have no route on your gateway! As management is not in a directly attached network, you need to add correct routing!

Re: Problem in facing SIC Management to Branch office firewall

Vladimir — Fri, 02 Aug 2019 18:19:39 GMT

@Akram_wasim , your management server's IP is not in your FW2 routing table.

If you want to ping it, provided the static NAT is assigned to the Management server's object, you should be able to ping the IP you are NATing it to, i.e. one in the 192.168.1.*/24 range.

Otherwise, provided you have ICMP enabled in Global properties, you should add a route to 10.1.1.25/255.255.255.255 to your BQF or specify the route to the entire 10.1.1.0/24 network with the next hop being external IP of your primary gateway.

Re: Problem in facing SIC Management to Branch office firewall

Akram_wasim — Fri, 02 Aug 2019 18:38:49 GMT

Hi Vladimir

Same issue

1. I have enabled the ICMP in Global properties

2. add default routes from BFW to FW1 external IP

I am unable to ping ..

Pic 1 : Add static Nat from Manager to 192.168.1.112

Pic 2 : routing table FW 2

Re: Problem in facing SIC Management to Branch office firewall

Akram_wasim — Fri, 02 Aug 2019 18:40:32 GMT

can you help how to add route in B-FW ,Seriously i cant do it .Please help

Re: Problem in facing SIC Management to Branch office firewall

Vladimir — Fri, 02 Aug 2019 18:50:12 GMT

Can you ping from BQFW the IP of 192.168.1.112?

Have you enabled the "Log Implied Rules" in Global properties to see where your ICMP traffic is going in the logs?

You either use static NAT and refer to the Management server by its' NATed IP (the most common scenario in practice), or in your lab environment, do not NAT, but rely on static routes.

As shown in your screenshot below, the Static NAT is being applied to the "Security Gateway control connections".

This means that you should be able to establish SIC with BQFW even in the absence of ICMP, if your routing is correct.

Try performing "fw unloadlocal" on the BQFW and ping and trace route to it from your management server to see where things are breaking down.

Additionally, verify that on your Management Server the default route is configured to use FW1 internal interface as it's gateway.

Re: Problem in facing SIC Management to Branch office firewall

Vladimir — Fri, 02 Aug 2019 19:01:33 GMT

If you are using WebUI, it is self-explanatory.

If you are trying to do this via Clish:

On your Management server (where SMS is the hostname of your management server):

SMS> set static-route default nexthop gateway address 10.1.1.111 on

SMS>save config

On your HQ-FW1:

HQ-FW1> set static-route 10.2.2.0/24 nexthop gateway address 192.168.1.222 on

HQ-FW1> set static-route 172.16.2.0/24 nexthop gateway address 192.168.1.222 on
HQ-FW1>save config

On your Branch-FW2:

BQFW> set static-route 10.1.1.0/24 nexthop gateway address 192.168.1.111 on

BQFW> set static-route 172.16.1.0/24 nexthop gateway address 192.168.1.111 on
BQFW>save config

Re: Problem in facing SIC Management to Branch office firewall

Akram_wasim — Fri, 02 Aug 2019 19:29:32 GMT

Hi,

Added all route as per instruction you had given to me but same issue nothing has changed ,able to ping FW2 to Manager

Above are current routing table after you shared me new routes ,i added everything and enable icmp in the global properties ,,i done everything ,, This is so headache,, i am unable to figure out.

Re: Problem in facing SIC Management to Branch office firewall

Vladimir — Fri, 02 Aug 2019 19:37:51 GMT

Show the route on your management server.

Have you created the firewall objects, defined their topology, configured security policy for the HQ-FW, published it and installed?

If not, you cannot expect this to work unless you perform "fw unloadlocal" on both firewalls.

Please show a screenshot of your policy here.

Please show the "Network" property of both firewall objects here.

Re: Problem in facing SIC Management to Branch office firewall

Vladimir — Fri, 02 Aug 2019 19:42:35 GMT

P.S. In your management server's screenshot, the routes shown are NOT the one I have wrote you to add:

On your Management server (where SMS is the hostname of your management server):

SMS> set static-route default nexthop gateway address 10.1.1.111 on

SMS>save config

VS. yours:

Your management server cannot know how to reach the 10.2.2.0/24 network, your HQ-FW does.

Re: Problem in facing SIC Management to Branch office firewall -My policy

Akram_wasim — Fri, 02 Aug 2019 19:53:09 GMT

Re: Problem in facing SIC Management to Branch office firewall

Akram_wasim — Fri, 02 Aug 2019 19:57:13 GMT

manager routes