6.5.4.5 - X1 cannot be unassigned
BWC
Cybersecurity Overlord ✭✭✭
Hi,
at one deployment I'am running WAN interfaces X2 and X9 and the X1 got decommisisioned and I would like to set it from WAN zone to unassigned for the time being.
FLB has X2 and X9 as members, but whenver I try to unassign X1 from the WAN zone the message "Error: One WAN interface must be selected for Failover & LB Group" pops up, which is just wrong because X2 and X9 is in there and X1 not.
Is this a known bug?
--Michael@BWC
Category: Mid Range Firewalls
0
Best Answer
-
shiprasahu93 ModeratorHey Michael@BWC,
Could you please check if X1 is a part of IPv6 default LB group?
That could be the reason of this error.
Thanks!Shipra Sahu
Technical Support Advisor, Premier Services
6
Answers
I was always under the impression that the X1, like the X0 is to LAN, was fixed to WAN.
Not sure why for X1 but for X0 they seem to tie any mgmt type traffic (like the source of pings or ldap requests) to source from the X0 IP.... I assumed it was something similar for X1.
Could be mistaken but I believe they mentioned this on one of the SW university courses.
@RedNet,
Yes, we had similar restrictions for X1 interface for quite some time. But I think that was for Gen 5 and Gen 6 on 6.2.x versions.
Since 6.5, other than X0 interface, all others are free to be unassigned and configured on any available zones.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hi all,
IPv6 (always forgetting about it) was the right direction to look at. Maybe X1 was locked to WAN in the past, but it must be ages ago, even on a Gen5 I can unassign X1.
Note to my future me: Check IPv6 too, even you don't use it actively :)
--Michael@BWC
Michael@BWC,
Since 6.5.3.x, enable IPv6 is a global option under Manage | Appliance | Base settings -> 'Enable IPv6'. If you are not using IPv6 on the firewall, I would suggest keeping this option disabled.
I have been in those situations a few times now 😄. So as soon as you mentioned that error, could recall what it might be.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hi @shiprasahu93
disabling IPv6 will not do the trick. I still need to configure FLB for IPv6, tested it a second ago with 6.5.4.6.
Disabling IPv6 does not make IPv6 disappear what might be expected, according to the documentation it just forces the Firewall to drop IPv6: "When IPv6 is disabled, all IPv6 packets are dropped by the firewall and the INVESTIGATE | Tools > Packet Monitor page displays the log messages.". Which renders the meaningfullness of this option, let's debateable.
But future me is prepared, no worries :)
--Michael@BWC
Michael@BWC,
It's actually more useful for the unnecessary access rules and NAT policies. But, glad that this one is sorted out!
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
beautiful reflection n!