topic Re: Untrusted Gateway - Remote Fix in General Topics

Untrusted Gateway - Remote Fix

Wyman — Fri, 04 Oct 2019 10:12:42 GMT

Hi all. Our standalone firewall in our remote office has an 'untrusted' status due to a SIC reset from what I understand from a CP article (only SNMP settings and FW rules were configured). Trouble is, there is no-one at the office at the moment and I was wondering whether I could do anything remotely to bring the firewall back up.

I have done a 'vpu tu' on our local gateway and can see the remote firewall SA in the list of IKE SAs.

If I reset the tunnel would this fix the issue, or would I have to get someone on-site to physically reset the box?

Thanks

Re: Untrusted Gateway - Remote Fix

G_W_Albrecht — Fri, 04 Oct 2019 11:08:52 GMT

A StandAlone Firewall has SIC only with itself - so i do not quite understand the issue. To fix this from Remote (or at least try to) i would involve TAC for a quick RAS...

Re: Untrusted Gateway - Remote Fix

Wyman — Fri, 04 Oct 2019 11:11:35 GMT

Hi. Thanks for the response. Sorry, wrong terminology. I meant it's a single firewall (no HA)!

Re: Untrusted Gateway - Remote Fix

FedericoMeiners — Fri, 04 Oct 2019 12:43:31 GMT

Tbgaz,
Please share with us which model do you have on your branch office and on your HQ as well as Gaia OS versions installed.

What happens when you try yo test SIC from the management?

You can try to reset the tunnel but it seems that you will need someone on the other side to reboot it.
For next time set up a backup entry on your branch office firewall like a remote VPN o allowing only some IPs (Such as the one from your HQ) to access it via the public IP.
___

Re: Untrusted Gateway - Remote Fix

Wyman — Fri, 04 Oct 2019 13:19:46 GMT

Hi Federico,

It is a R77.20 (an upgrade is imminent) 1450 Appliance. When I test the status it says 'Could not establish TCP connection with <public IP>'.

I am waiting for a colleague to get into the office so they can connect to the Gaia config page on the LAN to reboot as the FW is behind a locked door (serviced office) for which we have to open a ticket for IT to give us physical access.

Hopefully a reboot will fix.

Re: Untrusted Gateway - Remote Fix

FedericoMeiners — Fri, 04 Oct 2019 13:26:33 GMT

Can you confirm that the site has internet connectivity? If yes then it seems that reboot is your only option. You may want to set up an alternative way to access the gateway in the future 🙂

Re: Untrusted Gateway - Remote Fix

PhoneBoy — Sat, 05 Oct 2019 04:17:57 GMT

If SIC trust is truly broken through a reset, there's nothing you can do remotely unless you have some sort of out-of-band access.