cancel
Showing results for 
Search instead for 
Did you mean: 
clath13
Level 9

Network Protection in MWG 7.5 Breaks ProxyHA

Jump to solution

So I have my MWG's configured for ProxyHA.  When I enable network protection HA fails - my nodes go into conflict state.  I have looked at http://www.ietf.org/rfc/rfc3768.txt and what this tells me is that VRRP is not really port based which is all network protection uses - TCP or UDP.  I have enabled ports 1-65535 between all nodes.  How do you enable Network Protection without breaking the VRRP communication between nodes?

Thanks,

Claire

0 Kudos
1 Solution

Accepted Solutions
clath13
Level 9

Re: Network Protection in MWG 7.5 Breaks ProxyHA

Jump to solution

According to McAfee HA and Network Protection are mutually exclusive.  Because VRRP is a protocol there is no way to configure the proxies to talk to each other via VRRP through Network Protection.  They have put an enhancement request in.  I am not willing to use iptables at the OS level to do this so I guess I will do it the old fashioned way through ACL's off the proxies.  Seems a little silly.  Seems even sillier when McAfee says "not too many people use Network Protection are you sure you need it?"  I will tell the assessor who dinged me that and see what he says.

0 Kudos
2 Replies
clath13
Level 9

Re: Network Protection in MWG 7.5 Breaks ProxyHA

Jump to solution

According to McAfee HA and Network Protection are mutually exclusive.  Because VRRP is a protocol there is no way to configure the proxies to talk to each other via VRRP through Network Protection.  They have put an enhancement request in.  I am not willing to use iptables at the OS level to do this so I guess I will do it the old fashioned way through ACL's off the proxies.  Seems a little silly.  Seems even sillier when McAfee says "not too many people use Network Protection are you sure you need it?"  I will tell the assessor who dinged me that and see what he says.

0 Kudos
btlyric
Level 12

Re: Network Protection in MWG 7.5 Breaks ProxyHA

Jump to solution

Modifying iptables to handle this at the OS level ought to be relatively easy. We don't use proxy HA, but my guess is that MWG is utilizing keepalived. If my guess is correct, the following information should be accurate, but I highly recommend testing in a non-production environment.

There are two main things that you need to permit:

- multicast

- the VRRP protocol (IP proto 112)

MWG may overwrite the entries if you add them to /etc/sysconfig/iptables. Instead, add them to the /etc/init.d/iptables startup script. This modification will need to be re-applied after any upgrade activities.

The core network protection configuration doesn't modify the FORWARD or OUTPUT portions of the configuration so assuming that your Network Protection configuration via the GUI is set to Input policy Drop and the interface over which Proxy HA is communicating is eth0, you can add the necessary entries after the #Load additional modules (helpers) line and before the if [ -n "$IPTABLES_MODULES" ]; then line:

# Load additional modules (helpers)

# INSERT MODIFICATION LINES HERE

# permit multicast inbound on eth0

/sbin/iptables -I INPUT -i eth0 -d 224.0.0.0/8 -j ACCEPT

# permit ip proto 112 (vrrp) inbound on eth0

/sbin/iptables -A INPUT -p 112 -i eth0 -j ACCEPT:

if [ -n "$IPTABLES_MODULES" ]; then

You might be able to further tighten the multicast rule down by specifying a multicast source address in the keepalived configuration, but my guess is that MWG will overwrite that file if you modify the HA configuration so that probably won't survive

0 Kudos