Hope it is ok to ask this here;
I just took the CCSA class and am working through some labs. I ran into a scenario I don't totally understand.
I have an admin workstation with SmartConsole and an SMS in the primary site. I use this to manage a gateway cluster in the same site and also a gateway at a remote site.
The SMS is configured for static NAT. The option for "Apply for Security Gateway control connections" is also selected on the objects NAT properties.
So, SIC is all good and I can push policy successfully to both the local cluster and the remote gateway. However, if I select the actions menu on the remote gateway object and I try to open a shell, the remote gateway's stealth rule drops the connection.
I understand that all the rules that allow the SMS to communicate with the remote gateway, push policy, etc. are implied rules. But I do have an explicit management rule installed on the remote gateway that is ' source SMS, destination remote-gateway, SSH SSHv2 and HTTPS, allow.
But the log entry shows the traffic was denied by the remote gateway (stealth rule). The source is the static NAT IP address of the SMS. So, why would the rule I have not allow that traffic? Since the allow rule has the SMS object set as the source, shouldn't the remote gateway know what the static NATted IP address of the SMS is, and allow the traffic?
(Editing the message to include screenshots)
remote gw allow rulesms nat propertySSH outbound allow from local GWSSH inbound drop from remote GW