- CheckMates
- :
- Products
- :
- General Topics
- :
- Statefull Firewall
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Statefull Firewall
Good day all;
I have a question I have an internal server that is initiating a HTTPS connection to AWS via the internet, the connection fails and when I check it is being dropped by the clean up rule. I thought that since this is a statefull firewall and the connection is initialed internally I wouldn't need to apply a policy to allow this connection. What am I doing wrong?
Thank you in advance!!!
Warren
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you don't have a firewall rule for this traffic.
Should be something like:
src: internal IP
dst: aws
port:443
allow
You don't have to make a rule for src;AWS, dst: internal IP. That is the statefull part
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There needs to be a rule allowing the initiator of the connection, then the reply traffic will be statefully matched.
Do you have rules allowing the internal zone or subnets outbound?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Chris said, you need a rule to allow initial connection, not the other way around, as it would be stateful.
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you don't have a firewall rule for this traffic.
Should be something like:
src: internal IP
dst: aws
port:443
allow
You don't have to make a rule for src;AWS, dst: internal IP. That is the statefull part
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks guys yeah I don't have a rule in place yet, I got caught up because I tried to ping 8.8.8.8 and when it didn't work I started focusing on that. I thought all outbound connectivity was allowed by default but thank you for your help I will put in a rule for aws.
Thank you guys!!!
Warren
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as its fixed mate, now you know for next time 🙂
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that is true, thank you again for your help!!
Thank you, sir!!
Warren
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No worries. Put it this way...regardless of what fw you use, Cisco, Sonicwall, CP, FGT, PAN...makes no difference, you just need to know that when you place a rule for OUTBOUND connection to the Internet, no need for return rule, its stateful at that point, unless obviously you need to allow someone to access your host on the LAN from the Internet, you need to do NAT, port forwarding, what have you...you get the idea 🙂
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this HTTPS traffic is subject to NAT, make sure you are using the "original" pre-NAT IP addresses for matching in your Access Control policy. It won't match properly against the post-NAT addresses and will fall to the cleanup rule.
now available at maxpowerfirewalls.com