Time for the Branch-FW configuration.
We need to start by changing the IP address:
gw-020000> set interface eth0 ipv4-address 192.168.1.222 mask-length 24 gw-020000> set interface eth0 auto-negotiation - Configure auto-negotiation comments - interface Comments ipv4-address - Interface IPv4 address ipv6-address - Interface IPv6 address ipv6-autoconfig - Configure IPv6 auto-configuration link-speed - interface link speed mac-addr - Configure hardware address monitor-mode - set monitor-mode for interfaces mtu - interface Mtu rx-ringsize - Set receive buffer size for interface state - interface State tx-ringsize - Set transmit buffer size for interfaces gw-020000> set interface eth0 state on gw-020000> gw-020000> save config gw-020000>Let's just check that we can access one FW from the other:
This system is for authorized use only. login: admin Password: Last login: Sun Feb 21 18:20:23 on ttyS0 gw-010000> ping 192.168.1.222 PING 192.168.1.222 (192.168.1.222) 56(84) bytes of data. 64 bytes from 192.168.1.222: icmp_seq=1 ttl=64 time=3.36 ms 64 bytes from 192.168.1.222: icmp_seq=2 ttl=64 time=0.701 ms --- 192.168.1.222 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.701/2.034/3.368/1.334 ms ^C gw-010000>OK, So, can we get this new FW into our existing SmartDashboard?? Let's try! We do need to run through the initial set-up first, through the web browser, we cant just go ahead end put it into SmartDashboard. It is also important to remember the topology. The PC is using an IP address of 10.1.1.21, but the Branch-FW only knows about the 192.168.1.0/24 network, so we need a route:
gw-020000> set static-route 10.1.1.0/24 nexthop gateway address 192.168.1.111 on gw-020000>Now we have reachability, notice the extremely "open" rule in the rule base, and that we have reachability from the switch:
I have not included all the steps, as they are no different to how we configured the HQ-FW. But because I immediately jumped in and tried to add it to SmartConsole, without going through the above steps, it will not initialize SIC - so I had to reset the SIC connection, before I got the green tick:
So, what shall we do now? Well, let's add some routing into the mix.
We'll try it our through the CLI first and see how far we get without having to resort to the GUI.
Following the KISS method, everything will be in area 0 (the backbone):
gw-010000> show configuration ospf set ospf area backbone on set ospf interface eth0 area backbone on set ospf interface eth0 priority 1 gw-010000> gw-020000> show configuration ospf set ospf area backbone on set ospf interface eth0 area backbone on set ospf interface eth0 priority 1 gw-020000>In the interest of full-disclosure, I did have to remove all of the policies from the Branch router, something in the rule base was preventing OSPF from working, so now we get OSPF working, but SIC does not.
This is the rule base I have at the moment:
The good news is that OSPF is working:
gw-010000> show ospf neighbors Neighbor state flag: G - graceful restart Neighbor ID Pri State Dead Address Interface Errors 192.168.1.222 1 FULL/DR 34 192.168.1.222 192.168.1.111 0 gw-010000> gw-020000> show ospf neighbors Neighbor state flag: G - graceful restart Neighbor ID Pri State Dead Address Interface Errors 10.1.1.111 1 FULL/BDR 32 192.168.1.111 192.168.1.222 0 gw-020000>We can also confirm this from the GUI:
We can add interfaces, and OSPF updates nicely:
gw-020000> show route
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive
S 0.0.0.0/0 via 192.168.1.111, eth0, cost 0, age 201382
S 10.1.1.0/24 via 192.168.1.111, eth0, cost 0, age 201382
C 127.0.0.0/8 is directly connected, lo
O 172.16.1.0/24 via 192.168.1.111, eth0, cost 2, age 2
C 172.16.2.0/24 is directly connected, eth2
DMZ
C 192.168.1.0/24 is directly connected, eth0
gw-020000>
So, now can we get OSPF working and SIC? Should do, it's just about proper placement of ACLs.Let's start by unassigning the policy:
gw-010000> fw unloadlocal Uninstalling Security Policy from all.all@gw-010000 Done. gw-010000>Let's start with a cleaner rule base, not ideal, but definitely cleaner:
This gets applied to our HQ gateway. We then reinitialize SIC:
Then, once SIC is healthy again, push the same policy to the branch gateway. Now OSPF is healthy as well!
gw-010000> show ospf neighbors
Neighbor state flag: G - graceful restart
Neighbor ID Pri State Dead Address Interface Errors
192.168.1.222 1 FULL/DR 31 192.168.1.222 192.168.1.111 0
gw-010000> show route
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive
S 0.0.0.0/0 via 10.1.1.1, eth1, cost 0, age 205827
C 10.1.1.0/24 is directly connected, eth1
C 127.0.0.0/8 is directly connected, lo
C 172.16.1.0/24 is directly connected, eth2
DMZ
O 172.16.2.0/24 via 192.168.1.222, eth0, cost 2, age 386
C 192.168.1.0/24 is directly connected, eth0
gw-010000>
OK, so progress is being made. It's all about learning the differences and the quirks. Next up will be a look at saving and backing up configurations.
0 comments:
Post a Comment