Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
gurowar
Contributor
Jump to solution

Statefull Firewall

Good day all;

I have a question I have an internal server that is initiating a HTTPS connection to AWS via the internet, the connection fails and when I check it is being dropped by the clean up rule.  I thought that since this is a statefull firewall and the connection is initialed internally I wouldn't need to apply a policy to allow this connection.  What am I doing wrong?

 

Thank you in advance!!!

Warren

1 Solution

Accepted Solutions
Lesley
Leader Leader
Leader

Looks like you don't have a firewall rule for this traffic.

Should be something like:

src: internal IP

dst: aws

port:443

allow

You don't have to make a rule for src;AWS, dst: internal IP. That is the statefull part

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

8 Replies
Chris_Atkinson
Employee Employee
Employee

There needs to be a rule allowing the initiator of the connection, then the reply traffic will be statefully matched.

Do you have rules allowing the internal zone or subnets outbound?

CCSM R77/R80/ELITE
the_rock
Legend
Legend

As Chris said, you need a rule to allow initial connection, not the other way around, as it would be stateful.

Best,

Andy

Lesley
Leader Leader
Leader

Looks like you don't have a firewall rule for this traffic.

Should be something like:

src: internal IP

dst: aws

port:443

allow

You don't have to make a rule for src;AWS, dst: internal IP. That is the statefull part

-------
If you like this post please give a thumbs up(kudo)! 🙂
gurowar
Contributor

Thanks guys yeah I don't have a rule in place yet, I got caught up because I tried to ping 8.8.8.8 and when it didn't work I started focusing on that.  I thought all outbound connectivity was allowed by default but thank you for your help I will put in a rule for aws.

Thank you guys!!!

 

Warren

the_rock
Legend
Legend

As long as its fixed mate, now you know for next time 🙂

Best,

Andy

gurowar
Contributor

Yes that is true, thank you again for your help!!

Thank you, sir!!

Warren

the_rock
Legend
Legend

No worries. Put it this way...regardless of what fw you use, Cisco, Sonicwall, CP, FGT, PAN...makes no difference, you just need to know that when you place a rule for OUTBOUND connection to the Internet, no need for return rule, its stateful at that point, unless obviously you need to allow someone to access your host on the LAN from the Internet, you need to do NAT, port forwarding, what have you...you get the idea 🙂

Best,

Andy

Timothy_Hall
Legend Legend
Legend

If this HTTPS traffic is subject to NAT, make sure you are using the "original" pre-NAT IP addresses for matching in your Access Control policy.  It won't match properly against the post-NAT addresses and will fall to the cleanup rule.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events