topic Re: cprid implied rule in Spark Firewall (SMB)

cprid implied rule

John_Fleming — Wed, 11 Mar 2020 20:53:36 GMT

Does anyone know if there is an easy way to exclude cprid from implied rules? The use case I have is to hit cprid through a vpn tunnel on a daip gateway. Basically hit the internal interface through a vpn tunnel. Currently it seems implied which prevents encryption.

All the daip gateways are on a MDS (CMA) running R80.20 if that matters. Daip gateways are mostly R77.20.x

Re: cprid implied rule

John_Fleming — Wed, 11 Mar 2020 20:55:27 GMT

I should also point a large portion of the daip gateways are behind nat devices so i wouldn't have direct access to the external interface.

Re: cprid implied rule

PhoneBoy — Thu, 12 Mar 2020 01:07:54 GMT

In general you should consult with TAC if you want to do anything SIC over VPN.
That said, poking around in implied_rules.def in the relevant Backward Compatibility directory, it seems like this should work already.
Perhaps you can twiddle some bits there and see.
Or open a TAC case.

Re: cprid implied rule

John_Fleming — Thu, 12 Mar 2020 05:02:19 GMT

I'm assuming your talking about

#define accept_cprid in the CPR77CMP dir?

My hope was not to touch .def files FYI.

I haven't chatted with the last 2 diamond reps so maybe its time to reach out.

Re: cprid implied rule

PhoneBoy — Thu, 12 Mar 2020 19:54:40 GMT

When you're talking about implied rules for SIC and friends, you're in .def modifying territory.

Re: cprid implied rule

John_Fleming — Thu, 12 Mar 2020 21:06:41 GMT

yeah labbing up now. For some reason I was thinking i saw something where you could exclude services somewhere but i think i might be thinking about excluding services from vpn topo which wouldn't help.

/shrug