I have a firewall between 2 networks and it is working. I am try to reach the other side of from a subnet that has access to the Lan subnet. How do I configure the firewall to allow other subnets to transverse the connected subnet?
Then you need to check the access rules between Plant LAN zone and Sec_lan zone and vice versa. If there are no rules, the traffic is denied by default. So you may need to add rules to allow it.
If the access rules are present, you can do a packet capture to see what could be blocking the traffic.
You have a routing policy on the firewall that explains how 10.10.100.X network can be reached through the interface X2 right?
If yes, then the firewall understands how it can reach that network. Since the X3 interface is configured on the firewall, it has an automatic route created to reach it.
So, if the connectivity between the X3 subnet and 10.10.100.X network is not there, it could be due to access rules.
Yes, the drop code suggests that it is a policy drop. So, the access rules are missing.
Please navigate to MANAGE | Rules | Access rules and use the matrix view as below and add the following access rules
From Office LAN zone and Sec_lan zone
Action: Allow
Source: X2 subnet
Destination: Sec_Lan
Service: Any
and also Sec_lan zone to Office LAN zone
Action: Allow
Source: Sec_Lan
Destination: X2 subnet
Service: Any
I am telling the zones etc based on the packet capture. You mentioned that the communication issue is between the X3 subnet and Sec_Lan, but this drop is for the X2 subnet and Sec_Lan.
Great! I have access now. I had a discard rule in there. Now I need to control access by LDAP authenication. I have LDAP configured, and the group imported. How due I add it to the rules or interface?
Answers
Hi @Garyb
For that you would have to configure the Access rule accordingly. Your can follow the below KB for configuring the Access Rule;
@Garyb,
If you have the routing on the firewall, the other subnet should also be able to reach it. What zones are the two interfaces on the firewall on?
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
To clarify the firewall is connected to 2 LAN networks
X2- 10.10.201.x
X3 - 10.172.1.X
another subnet - 10.10.100.x is routed to 10.10.201.X but also needs to reach !0.172.1.x over the firewall.
@Garyb,
What zones are X2 and X3 on and what zone have you created the network 10.10.100.x on?
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
X2 is Office LAN zone
X3 is Plant LAN Zone
10.10.100.x is Sec_lan zone
Then you need to check the access rules between Plant LAN zone and Sec_lan zone and vice versa. If there are no rules, the traffic is denied by default. So you may need to add rules to allow it.
If the access rules are present, you can do a packet capture to see what could be blocking the traffic.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Should I add the 10.10.100.X network to interface X2?
You have a routing policy on the firewall that explains how 10.10.100.X network can be reached through the interface X2 right?
If yes, then the firewall understands how it can reach that network. Since the X3 interface is configured on the firewall, it has an automatic route created to reach it.
So, if the connectivity between the X3 subnet and 10.10.100.X network is not there, it could be due to access rules.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
I am a new to firewalls like this. I have the following route
Any Sec_Lan Any N/A Any Standard 0.0.0.0 X2 1 4
The packet monitor shows the packets dropped.
Here is the packet info:
Ethernet Header
Ether Type: IP(0x800), Src=[00:38:df:4f:92:47], Dst=[2c:b8:ed:76:86:26]
IP Packet Header
IP Type: ICMP(0x1), Src=[192.168.201.111], Dst=[10.172.1.50]
ICMP Packet Header
ICMP Type = 8(ECHO_REQUEST), ICMP Code = 0, ICMP Checksum = 12084
Value:[1]
DROPPED, Drop Code: 726(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2251_rqnke{Ejgem) 1:1)
Yes, the drop code suggests that it is a policy drop. So, the access rules are missing.
Please navigate to MANAGE | Rules | Access rules and use the matrix view as below and add the following access rules
From Office LAN zone and Sec_lan zone
Action: Allow
Source: X2 subnet
Destination: Sec_Lan
Service: Any
and also Sec_lan zone to Office LAN zone
Action: Allow
Source: Sec_Lan
Destination: X2 subnet
Service: Any
I am telling the zones etc based on the packet capture. You mentioned that the communication issue is between the X3 subnet and Sec_Lan, but this drop is for the X2 subnet and Sec_Lan.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Great! I have access now. I had a discard rule in there. Now I need to control access by LDAP authenication. I have LDAP configured, and the group imported. How due I add it to the rules or interface?
Thanks,
@Garyb,
Are you using SSO or ULA for identifying the user after which the group that it belongs to could be checked from LDAP?
There is a field called Users included on the firewall where the group can be sleected. But SSO or ULA should be present as well for this to work.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services