Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Levine
Contributor

Remote Gateway Blocking Management with Stealth Rule

Hi All,

Hope it is ok to ask this here; 

I just took the CCSA class and am working through some labs. I ran into a scenario I don't totally understand.

I have an admin workstation with SmartConsole and an SMS in the primary site. I use this to manage a gateway cluster in the same site and also a gateway at a remote site.

The SMS is configured for static NAT. The option for "Apply for Security Gateway control connections" is also selected on the objects NAT properties.

So, SIC is all good and I can push policy successfully to both the local cluster and the remote gateway. However, if I select the actions menu on the remote gateway object and I try to open a shell, the remote gateway's stealth rule drops the connection.

I understand that all the rules that allow the SMS to communicate with the remote gateway, push policy, etc. are implied rules. But I do have an explicit management rule installed on the remote gateway that is ' source SMS, destination remote-gateway, SSH SSHv2 and HTTPS, allow. 

But the log entry shows the traffic was denied by the remote gateway (stealth rule). The source is the static NAT IP address of the SMS. So, why would the rule I have not allow that traffic? Since the allow rule has the SMS object set as the source, shouldn't the remote gateway know what the static NATted IP address of the SMS is, and allow the traffic?

Thanks!

(Editing the message to include screenshots)

remote gw allow ruleremote gw allow rulesms nat propertysms nat propertySSH outbound allow from local GWSSH outbound allow from local GWSSH inbound drop from remote GWSSH inbound drop from remote GW

 

3 Replies
Danny
Champion Champion
Champion

Please add a screen shot of the log entry showing the dropped connection.

PhoneBoy
Admin
Admin

Notice the Source IP difference in the two logs...which I suspect is the issue here.
You need to use that NAT Source IP as an explicit rule. 

David_Levine
Contributor

Hi,
Yes - I added a host object with the sNAT IP address of the SMS, and created a rule on the remote gateway to allow access. This worked fine, I was just a little confused as the lab instructions had me create the original rule that I show in the screenshot.... That lead me to believe that the remote gateway would infer the sNAT IP address of the SMS and allow the traffic. I now see this is not the case. 

Maybe the lab had me create the rule for some other reason or exercise that I have not realized yet...

Thanks, 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events