Showing results for 
Search instead for 
Did you mean: 
Post a Question

Firewall management

I have inherited an environment with 3 firewall managers and several gateway clusters.

The gateway ip addresses defined for management (gateway objects’s ips) are cluster type/network objective.

I am planning to change this configuration and manage the gateway using “non monitored private” interfaces.

To do that  I  also need to create a new ip for the firewall manager.  So basically I will create a new network/vlan for firewall management where I will attach firewall gateways and firewall managers.

The current firewall manager have two interfaces and it reaches firewall gateways through both interfaces, so it presents different ips to different gateways.

We don’t have implied rules for the management traffic. Global propierties -> Firewall -> Accept control connections is disabled. Therefore we have explicit rules with the firewall manager and firewall gateways objects.

We also have implied rules for “Outgoing packets generated from the firewall gateway”.

I have checked the logs to analyze the firewall manager and I have seen that the two of the firewall manager ips match the explicit rule for traffic management. I am wondering why. Is it expected?

I would have expected to see matches only from the ip configured in the firewall manager object.

The firewall manager license is linked to the old firewall manager ip. Does it need the firewall management ip to be the same as the licensed ip? Or is it only required to have the license ip configured as a network interface?

I was thinking of configuring new explicit rules for the new firewall gateways and new firewall managers. I guess that it won’t hurt anyway. But it looks like it wouldn’t be needed as we have a implicit rule for firewall gateway’s outgoing packets and it looks like the firewall manager object contains all the firewall manager ips.

In terms of the SIC, I don't need to be worried about it as SIC doesn't care about ips, correct?

Finally, I was wondering what the purpose of the firewall manager ip is.  I can think of two:

  • To be used in the implicit rules for traffic management
  • To sync with the other firewall manager in a HA firewall manager architecture.

Am I missing something?

0 Kudos
5 Replies

Re: Firewall management

On a multi-homed system, the OS will determine which IP the connection will come from.

Since you have multiple interfaces, it will depend on the routing table. 

This is expected.

The licensed IP only needs to match the IP of one of the interfaces, it doesn't matter which.

SIC is based on certificates, not on IP address.

The management IP address is used when the gateway needs to initiate communication in specific circumstances (e.g. fetch policy), and would factor into implied rules.

0 Kudos

Re: Firewall management

Please note that if the interface is NOT up your license might not work. (it is accept it's just no good to you 😉

Not sure if R80 is still this strict but I have seen that fail a lot of times when people use a dummy interface during migration because they didn't move the IP address of the license before they started the migration. 

0 Kudos

Re: Firewall management

I was wondering if configuring the licensed ip at the loopback interface would be a good practice. But I guess that the firewall manager interfaces are not redundant most of the times and they just need to be up, so not a big deal

0 Kudos

Re: Firewall management

Thank you very much Dameon.

There is only one question that I like to dig in a bit more. So the routing table will define the source ip address, however what about the rules. I saw in the firewall logs that the rule defined for traffic management was hit by not only the ip address defined in the firewall manager object but also by the second ip configured in the second interface.

So it seems that there is some sort of logic that would allow any ip interface configured in the firewall manager. Is it correct?

0 Kudos

Re: Firewall management

Yes, that's correct.

0 Kudos