stealth rule conflict mobile access rule

Arturxr · ‎2022-08-22

Rule 1 conflict with Rule 2 for Services & Application https when installing policy

Rule 1 is stealth rule - SRC: Any, DST: GWs, Services: Any, Action:Drop

Rule 2 is under mobile access rule(layer) - SRC: IPs, DST: GW, Services: https, Action: Drop

tell me why the rules conflict and what needs to be changed in order for the policy to be established

G_W_Albrecht · ‎2022-08-22

I do not understand what you are trying to achieve - Rule 1 Any GWs Any Drop is the big brother of IPs GWs https Drop and will always shadow Rule 2 ! So just leave out Rule2...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Arturxr · ‎2022-08-23

I made a mistake with the description, in the second rule Accept.

According to Mobile Access R80.30 Administration Guide in Mobile Access and the Unified Access Policy - Best Practices for Rules:
Do not use a gateway as the Destination in a Mobile Access rule. The rules authorize a user's access to an internal resource. Use Any or the internal hosts of relevant applications in the Destination column.

We set the portal address in Destination (the portal address is the external virtual interface of the cluster), after that our traffic is dropped implied rules - dropped by multiportal infrastructure

G_W_Albrecht · ‎2022-08-24

Sorry, i can not understand you. You have two conflicting rules in your first post, both with Dest GW, and now you tell us: Do not use a gateway as the Destination in a Mobile Access rule.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2022-08-24

I know lots of people may disagree with what I will say, but I always found stealth rule in the policy not that useful. If you think about it, implicit clean up rule would block any unwanted traffic, but its true that at the end of the day stealth rule does serve the purpose of blocking communication to the firewall itself.

Anyway, back to your issue...Im also little confused like @G_W_Albrecht . Can you send a screenshot? I think it would help...happy to do remote if you like and help you out.

Best,
Andy
"Have a great day and if its not, change it"

Arturxr · ‎2022-09-06

G_W_Albrecht · ‎2022-09-06

I would suggest that you better ask TAC for a solution...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Arturxr · ‎2022-09-06

when trying to install a policy with rules 15, 16 enabled and rule 9 disabled, it fails.

Arturxr · ‎2022-09-06

after we set the portal address to rule 16 instead of the gateway object in destination, our traffic began to be blocked by implied rules

the_rock · ‎2022-09-06

Can you send screenshot of how currently rules are set?

Andy

Best,
Andy
"Have a great day and if its not, change it"

Arturxr · ‎2022-09-08

mobile access portal uses 443 port, gaia - 4434

Arturxr · ‎2022-09-15

We moved the Mobile Access rule above the Stealth rule, but now we have third-party users, when they receive an address from our pool, they lose their local network.
All traffic begins to wrap itself in the tunnel. Can you tell me where to set it up?

G_W_Albrecht · ‎2022-09-15

Why not contact TAC to get this resolved once and for all ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock · ‎2022-09-15

I agree 100% with @G_W_Albrecht . Just work with TAC and have this resolved.

Best,
Andy
"Have a great day and if its not, change it"

Are you a member of CheckMates?

stealth rule conflict mobile access rule