AnsweredAssumed Answered

Exclude CPM Traffic from Implied Rules

Question asked by Paul Warnagiris on Nov 2, 2017
Latest reply on Nov 3, 2017 by Paul Warnagiris

My question is similar to this thread Exclude CPM traffic from implied rules  however I have a 77.30 GW on-prem with a VPN to an R80.10 AWS vSec instance.  Both are managed by different managers.  So when the traffic is initiated from my management client behind the 77.30 GW, it encrypts.  When it gets to the 80.10 GW it "accepts" and doesn't decrypt.  So I followed the thread above where I commented out ENABLE_CPMI, but no change.  Encrypt on the on-prem side (I did not change anything there) and accept on rule zero at AWS.  

 

Here is my implied_rules.def

[Expert@bi-prod-fw:0]# cat implied_rules.def | grep CPM
/* #define ENABLE_CPMI */
#ifdef ENABLE_CPMI
                (dport = CPMI_PORT or dport = CPMI_PORT_NGM), tcp,                                                                                              \
                (sport = CPMI_PORT or sport = CPMI_PORT_NGM), tcp,                                                                                              \
[Expert@bi-prod-fw:0]#
Am I missing something simple?  The customer really does not want to manage this through the Internet even though I believe that the best way to go.
Thanks,
Paul

Outcomes