This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Wolfgang
Mentor
Mentor
‎2021-12-22 06:36 AM

Question about distribution mode settings

Jump to solution

Hello CheckMates,

we had some trouble with a Maestro environment.

1. Connectivity to the GAiA portal of a security group. Access from outside of the management network only possible with "set distribution L4-mode disabled" following Gaia Portal does not load for Scalable Platform Servers without VSX .
But with these setting all monitoring connections (cpd_amon tcp/18192) to remote gateways are broken.

2. We could replicate the issue Maestro R81 has issues in Active/Active mode with Identity Awareness  Identity Awareness working only with setting the distribution mode to network for the relevant interface. Additional we got a recommendation using Identity Awareness on Maestro only with an external Identity provider (another gateway and using identity sharing). But these are extra costs for another gateway .

Looks like the services provided by the security group itself (GAiA-portal, usercheck, pdp etc.) depends on the distribution mode settings. Some are contrary to the NAT and the Correction Layer on a VSX Gateway settings.

Can someone explain or maybe there are more detailed recommendations for the different use cases?

0 Kudos
1 Solution

Accepted Solutions
Danny
Champion
Champion
‎2021-12-22 07:06 AM

Jump to solution

Official recommendation for Identity Awareness with Maestro is to use a separate PDP gateway.

See: sk175587 - Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro
Additional read: PDP Broker - Getting Started

Yes, this requires additional licenses, but it's worth it.

However, to stick Identity Awareness to the SMO in order to avoid distribution mode adjustments, just follow the admin guide and create an exception.

Example: asg_excp_conf set 9 0 0 GWIP-YOUR-IA-USERS-ARE-CONNECTING-TO 443

Verify your exception via: asg_excp_conf get or g_all cphaprob excp_entry get

View solution in original post

6 Replies
Danny
Champion
Champion
‎2021-12-22 07:06 AM

Jump to solution

Official recommendation for Identity Awareness with Maestro is to use a separate PDP gateway.

See: sk175587 - Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro
Additional read: PDP Broker - Getting Started

Yes, this requires additional licenses, but it's worth it.

However, to stick Identity Awareness to the SMO in order to avoid distribution mode adjustments, just follow the admin guide and create an exception.

Example: asg_excp_conf set 9 0 0 GWIP-YOUR-IA-USERS-ARE-CONNECTING-TO 443

Verify your exception via: asg_excp_conf get or g_all cphaprob excp_entry get

Wolfgang
Mentor
Mentor
‎2021-12-22 11:57 PM
In response to Danny

Jump to solution

Thanks @Danny for your recommendations.

"Official recommendation for Identity Awareness with Maestro is to use a separate PDP gateway." it's worth.

I thought it's only related to VSX on Maestro, but my mistake. Does setting these exception fully resolve your mentioned IA problem?

0 Kudos
Danny
Champion
Champion
‎2021-12-23 12:35 AM
In response to Wolfgang

Jump to solution

In my case (MHOs R81.10, SG R81 JHF44, Distribution Mode: Policy / Auto-Topology (Default)asg_excp_conf solved the IA issue. Depending on your version, hotfix level and distribution mode the exclusion should be of help for you, too. Using IA on Maestro also requires to have a properly ordered fwkern.conf and you need to pay attention on sk170516.

0 Kudos
Wolfgang
Mentor
Mentor
‎2021-12-23 01:39 AM
In response to Danny

Jump to solution

Thanks again @Danny . The problem with amon could be solved via the same way. Exceptions for the management connections to the remote gateways. We set only one exception with NAT-IP of the management and the external IP of one remote gateway. After setting these alle remote gateways are now available without problems. Maybee this has something todo with the NAT of the management-server but this will be something to debug after the holidays.

0 Kudos
daem0n
Employee
Employee
‎2021-12-22 07:11 AM

Jump to solution

Hi Wolfgang.

1. L4-mode should be disabled unless really needed, for example, if you have little amount of sources/destinations, but large amount of source ports (http/https connections and similar). Disabling L4-mode doesn't break AMON, if it does, you need to check it with TAC.

2. It is highly likely that you are facing MBS-11293. Please install JHF44 and read Identity Based Access Control and Threat Prevention - Design Guidelines - Quantum Maestro.

0 Kudos
Anatoly
Employee
Employee
‎2021-12-22 07:12 AM

Jump to solution

Dear Wolfgang,

GAIA portal and other web services are definitely depend on l4 distribution when  you are trying to access via uplink (not management) interfaces. That is because it pass via distribution. However, management interfaces are excluded from distribution mechanism and always threated by SMO (first SGM in security group).

HTTPs services are based on different ports, that is why same session is distributed across multiple SGMs, which cause such kind of issues.

Conclusion - always disable L4 distribution when using Web services that Security Group provide via uplink interfaces

 

Thanks

0 Kudos