Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ron5on
Explorer

HTTPS on external interface

Hi,

I have a single R80.30 gateway, with Identity awareness blade enabled.

A few days ago, I migrated from AD Query to Identity Collector. Since then, the external interface is reachable via HTTPS. The response is:

HTTP ERROR 404

Problem accessing /. Reason:

    Not Found

 However I would like to completely block any incoming connections from the Internet.

Both Portal an Identity Collector are configured to allow access "through internal interfaces" only.

Any ideas?

 

0 Kudos
12 Replies
_Val_
Admin
Admin

R80.30 is out of support already, please consider moving to the recommended version as soon as possible. 

I assume your external HTTPS connections are accepted via rulebase? Which rule in particular?

 

0 Kudos
Ron5on
Explorer

Hi Val,

That's the thing - I have no rule that allows HTTPS access to the firewall object. I even created a rule that explicitly blocks HTTPS access to the firewall object from non-internal networks (i.e. added internal networks to the cell, and negate), but it made no difference.

Also, there are no HTTPS-related Implied rules.

Andy - the URL filtering blade is not enabled on this gateway. I believe it requires a license (?).

0 Kudos
_Val_
Admin
Admin

Look in the logs please, there should be something for this access. 

0 Kudos
the_rock
Legend
Legend

Everything on CP requires a license, haha. Anyway, the reason why I said to add object Internet to the rule is because "any" means internal stuff as well and you dont want to block that.

0 Kudos
_Val_
Admin
Admin

First, an emergency can be tackled with an evaluation license. Second, I do not believe it is something related to URL filtering, it is a different configuration issue.

Adding complexity and trying to block it with URL filtering does not make sense. Lt's figure out simple things first.

0 Kudos
the_rock
Legend
Legend

True, but I never said its URL filtering related anyway. The reaosn why I brought it up in the first place is due to being able to use object "Internet", you have to have URLF enabled, thats all.

But I agree, checking the logs would be a good idea to start with.

0 Kudos
Ron5on
Explorer

I am testing this with an external computer that has a fixed IP.

In the logs, there are a few DROPs, either because 'First packet isn't SYN', or 'Dropped by multiportal infrastructure'. However, I cannot see any ACCEPTs.

EDIT: Just to clarify, no Rule Name/Number is associated with these DROPs.

0 Kudos
the_rock
Legend
Legend

Just have a rule that says source Internet, dst your fw object, service https, action block. Make sure you have url filtering blade enabled in policy properties to use "Internet" object itself.

Andy

0 Kudos
PhoneBoy
Admin
Admin

(1)
the_rock
Legend
Legend

Seen that sk before, makes sense.

0 Kudos
Ron5on
Explorer

I want to give it a try but for some reason the utility fails to connect (make sure that the server is up and running etc.). SmartConsole works just fine from this very computer/user ☹️

0 Kudos
PhoneBoy
Admin
Admin

Can you confirm that traffic from TCP 18190 is being received on your management server from the computer in question (e.g. with tcpdump)?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events