I found that after establishing SIC, we still have a problem for normal management operations (CPD, FW1_log, ICA_services). When using the firewall gateway object in the rule base, it does not match. The gateway is a DAIP gateway, has Dynamic IP set. I have to manually insert a rule on the central firewall to allow the management traffic from the DSL router's public IP. The central firewall protects the SmartCenter server, which is exposed by Automatic NAT.

I also found that this worked in R77.30, but does not work anymore in R80.20.

What are other people's experiences?

It might be worth a TAC case to investigate this.

How To Open a Case with TAC and/or Account Services‌

I already have, but no results so far 😞

Send me the TAC SR in a private message.

Result is that it DOES work in R80.20 🙂 We had a misunderstanding, beause we saw hits in a manual firewall rule.

Obviously there is a mechanism of the gateway telling about its public IP to the SmartCenter server. It may be that some packets gets lost before this information is passed to the SmartCenter server.

I don't know which TCP/UDP port is used for passing this information of public IP address. Does anybody know in which protocol this is embedded?

In sk110216: Security Management Portal (SMP) active ports, we find:

Incoming Ports (from Gateway to the SMP)

Outgoing Ports (from the SMP to the Gateway)

I wanted to share my experience with SG3100 gateways in DAIP mode with 80.10.

In previous version 77.20 with 1100 edge gateways, we never had a problem with DAIP mode, but since we migrated to 80.10 and replace the 1100 with 3100, we really had hard times to make it work.

I spent hours on the phone with TAC, and we finally found a recipe.

The trick is to create a address range object to represent the private ip of the gateway WAN interface, witch in contrary of the public IP held by the ISP router witch may change, can be statically configured (or statically assigned by the ISP router DHCP). I will call this objet DAIP_GW_WAN_Private.

This object must be allowed in a policy rule to reach the management server(on its private and NATted public IP) on the ports FW1_ica_services, FW1_ica_pull and CPD.

Management server (on its private and NATted public IP) must be allowed in a policy rule to reach DAIP_GW_WAN_Private on port CPD_amon

For a meshed community, DAIP_GW_WAN_Private must be allowed in a policy rule to reach other gateways on port IKE and IKE_NAT_TRAVERSAL.

 DAIP_GW_WAN_Private must be allowed in a policy rule to talk with  VPN community central Gateway on port IKE and IKE_NAT_TRAVERSAL in both ways

In our meshed community, we didn't configured permanent tunels, because the tunnel-test packet doen't get trough, and thus we lost the smartview monitor information about tunnels.

Hope this will help.

Hello Hemh.

I am currently having a similar situation, the DAIP Gateway is a 1450 running embedded Gaia R77.20, Management R80.30 behind R80.10 Gateway Cluster.

Could you maybe tell me why an address range object is needed to represent the private IP of the gateway and not e.g. a dummy host object? Furthermore, this setup does not seem to work for my environment.

I created an address range object for 192.168.1.4 (DAIP_GW_WAN_Private address) and created the rules you described.

The packet is dropped:

;[cpu_1];[fw4_2];fw_log_drop_ex: Packet proto=6 <DYNAMIC_ROUTER_IP>:58672 -> <MANAGEMENT_IP>:18191 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "External to Internal" rule <RULENUMBER>;

Best Regards,

Lars