Hey,
I've got an evaluation of the VM-100 (v7.0.2) setup, but I'm finding that for some reason the firewall appears to be intercepting requests and completing a TCP 3-way handshake, regardless if the ultimate destination has the port open or not. Has anyone got any idea if this is normal behaviour, or if I've miss-configured something somewhere (and if so, what specifically I need to do to undo it?)
Steps to replicate: 1. Configure VM-100 as follows: NETWORK INTERFACES Interface: ethernet1/1 Interface Type: Layer3
Virtual Router: default
Zone: trust IP: 192.168.0.1/24
Interface: ethernet1/2 Interface Type: Layer3
Virtual Router: default
Zone: untrust IP: 192.168.100.5/24
VIRTUAL ROUTERS
Name: default
Interfaces: ethernet1/1, ethernet1/2
Static Route
Name: default-route
Destination: 0.0.0.0/0
Interface: ethernet1/2
Next Hop: IP Address - 192.168.100.1
Metric: 10
NAT POLICIES Source Zone: trust Destination Zone: untrust Destination Interface: ethernet1/2 Service: any Source Address: any Destination Address: any Translation Type: Dynamic IP and Port Address Type: Interface Address Interface: ethernet1/2 IP address: 192.168.100.5/24
2. On the Internet (untrust zone) setup a webserver 'ServerA' and configure the host firewall to have TCP port 80 open, but all other ports (e.g. 1-79 and 81-65536) closed.
3. On the local network (trust zone) setup a Windows computer 'WorkstationB' perform a nmap 'Quick Scan' with a target of 'ServerA'
Expected Behavior: nmap reports that port 80 is open, and all other ports closed/filtered.
Actual Behavior: nmap reports that TCP ports 7, 9, 13, 21, 22, 23, 25, 25, 37, 53, 79, 80, 81, 88, 106, ... [cut]..., 49516, 49157 are all open.
The same thing happens if you attempt a nmap in the other direction (e.g. run the scan on ServerA targeting the ethernet1/2 interface on the firewall - nmap returns all ports open, even though in reality only a couple of ports have a NAT rule configured to do destination address translation).
We've got a 7050 at work and it doesn't exhibit this behaviour (i.e. if the destination port is closed, there will be no SYNACK packet sent back to the source and the 3-way TCP handshake never completes). I'm not sure if this is because I've miss-configured something on the VM side, or because the virtual and hardware appliance functions differently.
All of this isn't a problem as such, the Internet still works just fine and servers in the trust zone accessed from untrust with a destination address NAT rule operate normally - it's just really confusing when I'm trying to troubleshoot problems and are not able to figure out if a destination address has a particular TCP port open.
Anyone got any thoughts?
... View more