topic Re: problem with monitoring 1500 appliance LTE in Spark Firewall (SMB)

problem with monitoring 1500 appliance LTE

Wolfgang — Sun, 06 Mar 2022 17:22:55 GMT

Hello CheckMates,

we had a bunch of 1500 appliances connected to the internet via LTE. Everything is working fine, VPN tunnels are up and traffic flows. But all appliances are shown as disconnected in Smartconsole/SmartviewMonitor. After debug we could see the LTE provider did some NAT for the appliance. The Managementserver does not get the real IP of the appliance, only the NATed IP. I think this is normal behaviour if any NAT is done on the way between remote and central gateway but do we have any chance to get a green state in Smartconsole for the LTE appliances with dynamic IPs?

Re: problem with monitoring 1500 appliance LTE

Chris_Atkinson — Mon, 07 Mar 2022 00:53:10 GMT

Review the following articles sk120136 / sk93566 as a start, not all implied rules apply for traffic from DAIP gateways ...

Re: problem with monitoring 1500 appliance LTE

Wolfgang — Mon, 07 Mar 2022 07:16:23 GMT

@Chris_Atkinson checked these sarticles, everything looks fine. SmartProvisioning is mentioned in the article but we don't use this feature, alle gateways are defined as normal DAIP gateways. There are no firewall-rules between remote and central gateway.

Can you please explain the needed traffic flow for the "connect" state. Will be there a need for a cpd_amon connection from the management to the remote DAIP gateway or vice versa?

Re: problem with monitoring 1500 appliance LTE

G_W_Albrecht — Mon, 07 Mar 2022 08:06:24 GMT

Please explain the NAT used here - sounds like static NAT, not dynamic IP to me...

Re: problem with monitoring 1500 appliance LTE

Wolfgang — Mon, 07 Mar 2022 08:34:18 GMT

@G_W_Albrecht we have no information which kind of NAT is done via the LTE provider, this is something mysterious done by the German Telekom in the LTE network. We could see the appliance getting IP-adress (10.xx.xx.xx) but on the management we could see the appliance as 80.xx.xx.xx.

Re: problem with monitoring 1500 appliance LTE

Chris_Atkinson — Mon, 07 Mar 2022 08:45:48 GMT

Central gateway has rules in-place of the implied rules for the traffic from DAIP gateway/s or is mgmt traffic via VPN?

Re: problem with monitoring 1500 appliance LTE

G_W_Albrecht — Mon, 07 Mar 2022 09:32:20 GMT

Then maybe you can just be glad that VPN is working 8)

Re: problem with monitoring 1500 appliance LTE

Wolfgang — Mon, 07 Mar 2022 09:54:36 GMT

Yes, rules exists for the management ports like cpd, fw_log, cpd_amon etc. VPN is working fine, logs are sent to the management. Only the state of the appliance is not shown as connected and the state of the VPN tunnel is shown as down in SmartviewMonitor.

Are there any requirements if the appliance will be installed behind another NAT-device ?

Re: problem with monitoring 1500 appliance LTE

Wolfgang — Wed, 09 Mar 2022 16:24:49 GMT

@Chris_Atkinson my question again.... we had a DAIP appliance behind a NAT device, only NAT no firewall. Will it be possible to get these appliance to the green state meaning "connected" in Smartconsole view ?

Re: problem with monitoring 1500 appliance LTE

Chris_Atkinson — Thu, 10 Mar 2022 07:05:36 GMT

I've sought some feedback on your behalf (in the absence of a corresponding SK etc) and will update you accordingly.