Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_C1
Advisor
Jump to solution

SMB Access Policy Control and internet access

I'm stuck why this doesn't work, but basically I'm trying to allow devices connected to the LAN network of my SMB device access to the internet over certain ports.

Background: Locally managed 1430 appliance running R77.20.87

Access Policy (Firewall) is set to strict.

1430a.jpg

I've created a manual rule in the policy to allow internet access (top rule under Outgoing access to the Internet):

1430b.jpg

The service group "CFU_Internet" contains http, https, and ICMP. 

What I'm seeing is traffic from the LAN network (172.x.x.x) to the internet is getting dropped on the last rule in the policy (rule 5 under Incoming, Internal, and VPN traffic):

2023-05-04_13-55-421430c.jpg

What am I missing? Why isn't this traffic allowed by the first manual rule I created?

Dave

0 Kudos
1 Solution

Accepted Solutions
David_C1
Advisor

Inspiration struck in the middle of the night. The reason this is not working is that I do not have an internet connection defined/configured. Traffic from the LAN networks bound for the internet goes out the DMZ interface which is connected to an MPLS network, which eventually comes back to our datacenter and out our internet egress point there. I had to get a bit creative with the routing (solution found in another CheckMates post) but everything is working now as I need it.

Thanks for everyone's suggestions,

Dave

View solution in original post

5 Replies
Chris_Atkinson
Employee Employee
Employee

Is your internet connection connected to a "WAN" port and what build of R77.20.87 firmware is used?

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Does 1st rule even have any hits? I noticed in the dropped log, shows inzone Internal and outzone as DMZ.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Using "Strict" is not really recommended out of my experience - i would suggest "Standard" with TP is secure enough 😉 You have to allow every detail in many seperate rules in strict mode, and that needs much knowledge...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
David_C1
Advisor

Inspiration struck in the middle of the night. The reason this is not working is that I do not have an internet connection defined/configured. Traffic from the LAN networks bound for the internet goes out the DMZ interface which is connected to an MPLS network, which eventually comes back to our datacenter and out our internet egress point there. I had to get a bit creative with the routing (solution found in another CheckMates post) but everything is working now as I need it.

Thanks for everyone's suggestions,

Dave

the_rock
Legend
Legend

Excellent work @David_C1 👍

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events