topic 1500/1600 Locally Managed - IPSEC Local encryption domain in Spark Firewall (SMB)

1500/1600 Locally Managed - IPSEC Local encryption domain

SaxMan — Mon, 19 Sep 2022 19:52:20 GMT

Hi,
I'm trying to test the following scenario in a LAB with locally managed 1500 and 1600 appliances - running R81.10.

POC Requirement:
A local encryption domain for each IPSEC (S2S) tunnel.
Example:
HQ's LAN = 192.168.88.0/24
Interesting traffic:
1. Warehouse_WMS_Server_192.168.88.22 Port: tcp/9443
2. Biometrics_Access_Server_192.168.88.24 Ports: rdp_33899
3. HQ's LAN = 192.168.88.0/24
Required rules:
1. Delivery company must access Warehouse_WMS_Server_192.168.88.22 Port: tcp/9443 ONLY
2. Access/physical security company must access Biometrics_Access_Server_192.168.88.24 Ports: rdp_3389 ONLY
3. Remote/Branch office to have access to entire 192.168.88.0/24 network for AD, MFA, SIP/VOIP, HR, etc

When appliance (HQ) has STANDARD mode enabled on the firewall blade control, it auto generates:
Source: VPN Sites Destination:Any Service:Any Action:Accept Log:log
(cannot be changed)
In the section "Site To Site" --> "Advanced" there is an option to define local encryption separately.
With only 192.168.88.22 and 192.168.88.24 defined therein, it means that the delivery company is able to "ping" / access the Biometrics server at 192.168.88.24 and vice versa.
If the entire 192.168.88.0/24 is in local encryption then it's basically "open" to all. (and so is "automatically determine local network topology")

If, the blade control is switched to STRICT, the "VPN Sites" object is no longer available and thus manual rules cannot be created.

Any suggestions on how to achieve the above would be greatly appreciated.
I also had a look at the "NextGen" rules in SMP/Infinity - does not appear to be 'doable' there either.
(I hope it something simple that I'm overlooking) 😄 😀

Many thanks.
👍

Re: 1500/1600 Locally Managed - IPSEC Local encryption domain

G_W_Albrecht — Tue, 20 Sep 2022 11:52:35 GMT

This is beyond the scope of the SMB appliances ! You can open a SR# with CP TAC to get that confirmed.

Re: 1500/1600 Locally Managed - IPSEC Local encryption domain

SaxMan — Tue, 20 Sep 2022 12:10:40 GMT

Thanks a million for the feedback.
Let me engage my local CP Account Manager and explore the chances/possibility of applying for a RFE.
👍

Re: 1500/1600 Locally Managed - IPSEC Local encryption domain

G_W_Albrecht — Tue, 20 Sep 2022 12:48:41 GMT

RFE for GAiA features on GAiA Embedded is a nice try ! I would not think that there are any hopes for fullfillment...

Re: 1500/1600 Locally Managed - IPSEC Local encryption domain

SaxMan — Tue, 20 Sep 2022 13:12:10 GMT

I think it'll be worth a shot?
'Cos if we build IPSEC tunnels (as outlined above) on the current (I get the embedded aspect) topology, could it not be seen as a risk by potential clients that we demo IPSEC to?
In other words: 2 different business partners connecting to their network, but cannot be separated by individual local encryption domains?

The other option would be to build ("Non-VPN") rules:
Each business partner connects from their public/static IP address to the HQ's NATted IPs for the appropriate/relevant server(s).
(Or...servers are put in the DMZ?)
But, the brief/requirement (in this case) is IPSEC.

Re: 1500/1600 Locally Managed - IPSEC Local encryption domain

G_W_Albrecht — Tue, 20 Sep 2022 13:22:29 GMT

It took very, very long until we did receive more than one VPN community in GAiA - so i think this is not very realistic...

Re: 1500/1600 Locally Managed - IPSEC Local encryption domain

SaxMan — Tue, 20 Sep 2022 13:47:47 GMT

For real?? 😃
OK...I also asked a while back for on-prem/3rd party MFA for AD/VPN users. (SMB appliances)
I saw a few mentions regarding this on the "SMB Masters" webinar a few weeks back - so, I'm crossing fingers.
😀
Thanks a million for your insight.