topic Re: How to handle firewall self-traffic (management traffic / service routing) in General Topics

How to handle firewall self-traffic (management traffic / service routing)

cryptochrome — Fri, 14 Jun 2013 17:51:00 GMT

Hi,

when I have a global clean-up rule that blocks/logs all unwanted traffic, my firewall management traffic (DNS lookups, PAN-DB updates etc) stop working if I configure it to use any other interface but the dedicated management ports. So I added a lot of rules to allow this traffic. Which is really not what I want. I also see inconsistencies. For example, SMTP traffic from the firewall (for sending alarm emails) seems to work without having a security rule for it (destination is directly connected inside a DMZ), while PAN-DB lookups (to the internet) need a security rule. Same for DNS. This is really confusing and inconsistent.

Are there any guidelines or best practices on how to set this up?

Thanks

Re: How to handle firewall self-traffic (management traffic / service routing)

gwesson — Fri, 14 Jun 2013 19:25:14 GMT

The general recommendation is to not use a clean-up rule at all. The firewall allows all same-zone traffic by default, and denies all intra-zone traffic. Unless you have a specific requirement to log this traffic, a generic "deny all" policy is not needed.

If you do have that requirement, my recommendation is to make specific policies that exclude same-zone traffic. For example, if you have 3 zones (trust, untrust, dmz) you would make 3 policies:

Src: Trust; Dst: untrust or dmz; Deny

Src: DMZ; dst: untrust or trust; Deny

Src: Untrust; dst: trust or dmz; Deny

This gives you the logging, but prevents the issue you are running into by allowing same-zone traffic. When the firewall makes an outbound connection on a public L3 interface, the source and destination are the same zone and thus your cleanup rule denies it.

Hope this helps,

Greg

Re: How to handle firewall self-traffic (management traffic / service routing)

cryptochrome — Fri, 14 Jun 2013 19:52:52 GMT

Thanks Greg, that makes sense. I am going to try that out.

One more question: If it is recommended to not use any cleanup rules at all and you effectively turn off all logging for dropped packets that way, how does this impact reporting and the ACC?

Re: How to handle firewall self-traffic (management traffic / service routing)

jvalentine — Fri, 14 Jun 2013 20:44:08 GMT

Rule logging doesn't affect ACC data ().

It does, however, affect what shows up under Monitor/Logs. As far as reporting is concerned, it depends on which database you use. The summary/statistics databases don't rely on rule logging. Reports generated from the Detailed databases pull from the same database where the rule logging occurs. (As a side-note, this is the reason why it takes more time to run a report against the detailed logs - as the reporting engine must parse through each and every applicable log entry. Reporting from the Summary databases is much quicker, but doesn't have quite as much data as the detailed logs.. ie: src/dst port information, etc.)

-JV

Re: How to handle firewall self-traffic (management traffic / service routing)

cryptochrome — Fri, 14 Jun 2013 20:55:34 GMT

Excellent, thank JV. I think I am going for dedicated cleanup rules in each zone-context to get more details. Thanks!