Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wolfgang
Authority
Authority
Jump to solution

Question about distribution mode settings

Hello CheckMates,

we had some trouble with a Maestro environment.

1. Connectivity to the GAiA portal of a security group. Access from outside of the management network only possible with "set distribution L4-mode disabled" following Gaia Portal does not load for Scalable Platform Servers without VSX .
But with these setting all monitoring connections (cpd_amon tcp/18192) to remote gateways are broken.

2. We could replicate the issue Maestro R81 has issues in Active/Active mode with Identity Awareness  Identity Awareness working only with setting the distribution mode to network for the relevant interface. Additional we got a recommendation using Identity Awareness on Maestro only with an external Identity provider (another gateway and using identity sharing). But these are extra costs for another gateway .

Looks like the services provided by the security group itself (GAiA-portal, usercheck, pdp etc.) depends on the distribution mode settings. Some are contrary to the NAT and the Correction Layer on a VSX Gateway settings.

Can someone explain or maybe there are more detailed recommendations for the different use cases?

0 Kudos
1 Solution

Accepted Solutions
Danny
Champion Champion
Champion

Official recommendation for Identity Awareness with Maestro is to use a separate PDP gateway.

See: sk175587 - Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro
Additional read: PDP Broker - Getting Started

Yes, this requires additional licenses, but it's worth it.

However, to stick Identity Awareness to the SMO in order to avoid distribution mode adjustments, just follow the admin guide and create an exception.

Example: asg_excp_conf set 9 0 0 GWIP-YOUR-IA-USERS-ARE-CONNECTING-TO 443

Verify your exception via: asg_excp_conf get or g_all cphaprob excp_entry get

View solution in original post

9 Replies
Danny
Champion Champion
Champion

Official recommendation for Identity Awareness with Maestro is to use a separate PDP gateway.

See: sk175587 - Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro
Additional read: PDP Broker - Getting Started

Yes, this requires additional licenses, but it's worth it.

However, to stick Identity Awareness to the SMO in order to avoid distribution mode adjustments, just follow the admin guide and create an exception.

Example: asg_excp_conf set 9 0 0 GWIP-YOUR-IA-USERS-ARE-CONNECTING-TO 443

Verify your exception via: asg_excp_conf get or g_all cphaprob excp_entry get

Wolfgang
Authority
Authority

Thanks @Danny for your recommendations.

"Official recommendation for Identity Awareness with Maestro is to use a separate PDP gateway." it's worth.

I thought it's only related to VSX on Maestro, but my mistake. Does setting these exception fully resolve your mentioned IA problem?

0 Kudos
Danny
Champion Champion
Champion

In my case (MHOs R81.10, SG R81 JHF44, Distribution Mode: Policy / Auto-Topology (Default)asg_excp_conf solved the IA issue. Depending on your version, hotfix level and distribution mode the exclusion should be of help for you, too. Using IA on Maestro also requires to have a properly ordered fwkern.conf and you need to pay attention on sk170516.

0 Kudos
Wolfgang
Authority
Authority

Thanks again @Danny . The problem with amon could be solved via the same way. Exceptions for the management connections to the remote gateways. We set only one exception with NAT-IP of the management and the external IP of one remote gateway. After setting these alle remote gateways are now available without problems. Maybee this has something todo with the NAT of the management-server but this will be something to debug after the holidays.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Just ran across a new SK article that mentions the asg_excp_conf workaround: sk180561: Identity Agents and Maestro or SP chassis

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Mr_Wolf
Employee
Employee

Hi Wolfgang.

1. L4-mode should be disabled unless really needed, for example, if you have little amount of sources/destinations, but large amount of source ports (http/https connections and similar). Disabling L4-mode doesn't break AMON, if it does, you need to check it with TAC.

2. It is highly likely that you are facing MBS-11293. Please install JHF44 and read Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro.

Anatoly
Employee
Employee

Dear Wolfgang,

GAIA portal and other web services are definitely depend on l4 distribution when  you are trying to access via uplink (not management) interfaces. That is because it pass via distribution. However, management interfaces are excluded from distribution mechanism and always threated by SMO (first SGM in security group).

HTTPs services are based on different ports, that is why same session is distributed across multiple SGMs, which cause such kind of issues.

Conclusion - always disable L4 distribution when using Web services that Security Group provide via uplink interfaces

 

Thanks

0 Kudos
(1)
CheckPoint_IT
Explorer

So, if I want to access SMO GaiaPortal from the uplink port, I should add an exception rule or disable l4 distribution? 

0 Kudos
Wolfgang
Authority
Authority

Yes, you have to define an exception.

And additional it's better and recommended to disable L4 distribution, except you have a specific use case for this feature. There are a lot of problems known using L4 distribution.

0 Kudos
(1)