Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CP-NDA
Collaborator
Jump to solution

IA Rule not matching with PDP & PEP on Maestro

Hi,

 

We migrated a traditionnal cluster to a Maestro infra last weekend. R81.10 T81

Everything worked as expected but after a while some IA Rule stop matching on one of the member. Identity is acquired via Identity Agent. Users connect to PDP which is the Security Group running in Maestro

In the logs the same trafic is accepter on Member 1_2 but dropped on Member 1_1.

"pdp monitor ip x.x.x.x" returns the correct Roles on both members but rules is not matched. If we change source by IP everything is ok.

I know that Seucurity Group are not the best way to do PDP but in this sutuation we don't have other GW to play taht role. Also it's never metionned that it's not supported (only not recommended in the Maesto limitations SK)

Do you have any idea of what could be the cause ? Any similar problem on your side ?

TAC is already involved but has not provided relevant info right now.

Thank you

 

0 Kudos
1 Solution

Accepted Solutions
CP-NDA
Collaborator
0 Kudos
8 Replies
Timothy_Hall
Legend Legend
Legend

I believe the need for a separate gateway to perform IA functions for a Maestro Security Group is a consequence of the Single Management Object (SMO) approach to management, and I don't see how you will able to work around that.  I also assume you  are familiar with sk175587: Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
CP-NDA
Collaborator

Hi,

 

Thank you for the reply

Yes we are familiar with this SK

Unfortunately we don't have the option to do PDP outside SG... If it's a clear limitation I wondering why it's not clearly mentionned that we should not implement this. Also this should be reported in Maestro limitations SK don't you think ?

 

Thank you

0 Kudos
CP-NDA
Collaborator
0 Kudos
Timothy_Hall
Legend Legend
Legend

Right to keep the distribution algorithm from messing with the IA traffic and ensuring symmetry by always sending it to the SMO, makes sense.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
CP-NDA
Collaborator

Seems to be a good idea but I don't know if trafic for IA is considered as a local connection

 

You can configure the Security Group

 

 

 to forward specific inbound connections to the SMO Security Group Member.

 

 

Important:

  • This command supports only IPv4 connections.

  • This command does not support local connections.

  • In VSX mode, you must run this command in the context of the applicable Virtual System.

  • This command supports a maximum of 15 exceptions

    (in VSX mode, this limit is global for all Virtual Systems).

  • These exceptions are saved in the $FWDIR/tmp/tmp_exception_entries.txt file (IPv4 addresses are converted to a special format).

Gojira
Collaborator
Collaborator

just out of curiosity could you elaborate on what seems to be the issue here?
For my understanding..

 

if you do pep show user all you see the relevant user in both modules?

Is it not marked down as service account by any chance?

0 Kudos
CP-NDA
Collaborator
0 Kudos
Gojira
Collaborator
Collaborator

Very interesting. And well written sk.

 

Thanks