- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: use CIDR in firewall rules from Cloud datacent...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
use CIDR in firewall rules from Cloud datacenter objects
Hey everyone,
I have configured a datacenter object for Azure (R81.10 HF66 on MDS + GWs).
The datacenter object is retrieving correctly the subscription.
Looking at "Network by Subscriptions, Virtual Networks, subnets", the CIDR for networks are shown in the "Note" field.
However it seems that when one of these objects is used in a rule, only the discovered IPs ("IP" field) are actually used to populate the firewall rule. This is a problem because the discovery finds VMs but not other type of objects (e.g. private endpoints).
Is it possible to use these objects as plain subnets and not as a list of discovered IPs?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note Private Endpoint support for Azure was added with R81.20.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
thanks for your reply.
Reading here it looks like this should work on R81.10 HF66 (Azure R81.10 – minimum requirements: Jumbo hotfix Take 14)
I have added "azure.enableAsgAndPep=true" in $MDSDIR/conf/vsec.conf (both mdsenv global and on the domain that is running cme) as described here
Restarted both vsec and cme, however we still do not see the private endpoint object types.
Do you have any advice on how to debug this (to check if this is a permissions issue, maybe)?
And other than including private endpoint in the discovery, is there any way to just get the CIDR and use it in the firewall rule?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it's not working as expected please take it to TAC for investigation.
If you need the CIDR manual objects can be created as a workaround.
My assumption being we don't interpret things this way for security reasons so things aren't blindly allowed unexpectedly but I could be mistaken. Having the choice for different behaviour is likely an RFE to be discussed with your local SE.