- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Remote Gateway Blocking Management with Stealt...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote Gateway Blocking Management with Stealth Rule
Hi All,
Hope it is ok to ask this here;
I just took the CCSA class and am working through some labs. I ran into a scenario I don't totally understand.
I have an admin workstation with SmartConsole and an SMS in the primary site. I use this to manage a gateway cluster in the same site and also a gateway at a remote site.
The SMS is configured for static NAT. The option for "Apply for Security Gateway control connections" is also selected on the objects NAT properties.
So, SIC is all good and I can push policy successfully to both the local cluster and the remote gateway. However, if I select the actions menu on the remote gateway object and I try to open a shell, the remote gateway's stealth rule drops the connection.
I understand that all the rules that allow the SMS to communicate with the remote gateway, push policy, etc. are implied rules. But I do have an explicit management rule installed on the remote gateway that is ' source SMS, destination remote-gateway, SSH SSHv2 and HTTPS, allow.
But the log entry shows the traffic was denied by the remote gateway (stealth rule). The source is the static NAT IP address of the SMS. So, why would the rule I have not allow that traffic? Since the allow rule has the SMS object set as the source, shouldn't the remote gateway know what the static NATted IP address of the SMS is, and allow the traffic?
Thanks!
(Editing the message to include screenshots)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please add a screen shot of the log entry showing the dropped connection.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Notice the Source IP difference in the two logs...which I suspect is the issue here.
You need to use that NAT Source IP as an explicit rule.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes - I added a host object with the sNAT IP address of the SMS, and created a rule on the remote gateway to allow access. This worked fine, I was just a little confused as the lab instructions had me create the original rule that I show in the screenshot.... That lead me to believe that the remote gateway would infer the sNAT IP address of the SMS and allow the traffic. I now see this is not the case.
Maybe the lab had me create the rule for some other reason or exercise that I have not realized yet...
Thanks,