6 Replies Latest reply on Jun 30, 2011 4:41 PM by bperez

    Sticky Connections

      Hi Gurus,

       

      I have a MFE 410F V8.1 with two Internet links.

       

      My scenario is:

       

      Interface em0 is 190.144.61.214/29 and the Lan Router Interface is 190.144.61.214

      Interface bge0 is 190.144.97.155/29 and the Lan Router Interface is 190.144.97.153

       

      The default gateway of my MFE is 190.144.61.214.

       

      So, please let me to comment you my issues:

       

      1. Both Internet links are provided by the same provider and I don´t know what IP address could I monitor in order to configure the ISP redundancy correctly.

      What happens if I don´t configure monitor addresses and I only configure the default and backup routes?

       

      2. This is the most important item for me right now.

      I have some policies permitting access from Internet to my partners and I´m using Public IP addresses of both Internet Links for it. For instance, for https access from Internet I´m using 190.144.61.214 and for Terminal Server access I´m using 190.144.97.155.

      With other firewall that configuration worked well but with my MFE this is not working. I found the the following log:

       

      2011-03-21 19:29:35 -0500 f_kernel_ipfilter a_general_area t_nettraffic p_major

      hostname: fw.local event: session end application: <Unknown TCP>

      netsessid: a34244d87ed6f src_geo: CO srcip: 190.27.52.115 srcport: 28220

      srczone: Internet2 protocol: 6 dstip: 192.168.3.3 dstport: 3389

      dstzone: Servidores bytes_written_to_client: 0 bytes_written_to_server: 0

      rule_name: <Pending Application Identification> cache_hit: 0

      start_time: 2011-03-21 19:29:35 -0500

       

      2011-03-21 19:29:38 -0500 f_kernel a_nil_area t_netprobe p_major

      hostname: fw.local event: TCP SYN/ACK netprobe src_geo: CO

      srcip: 190.144.97.155 srcport: 3389 srczone: Internet2 dst_geo: CO

      dstip: 190.27.52.115 dstport: 28220 protocol: 6 interface: lo7

      reason: Received a SYN/ACK packet that did not match a pending outgoing connection.  This may indicate a scanning attack or routing problem.

       

      Does MFE not support sticky connections? Any idea in order to solve this issue?

       

      Thanks in advance.

        • 1. Re: Sticky Connections
          martin.dimov

          Hi,

           

          on your first questions - at a time only one ISP connection could be active. Which means that your primary connection will be active if You do not setup a monitor.

           

          on your second question - You can not use both connections for inbound or outbound traffic. We did our own script that check the MFE default route status and depending on this do some tasks. Imagine MFE knows that is is on failover ISP mode so MFE could alternate its default public IP with a new one. Correct?

           

          MFE has crontab so anyone could do scripts. At the moment it is not forbiden by the OS

           

           

          You have other solution to your second problem too - because the provider is the same he should allow also source IP 190.144.97.155 on your first connection and source IP 190.144.61.214 on second (inveersed). If this is done and provider do not drop such packets as spoof ones your config will work. I suppose right now the traffic that should exit from second connection exits on the first one because of the default route and ISP drop these packets as spoof. You could see it with tcpdump on em0 looking for IP 190.144.97.155.

           

          Hope this helps.

          Next few days I will post our script. It automates the 'reset default route' process that is at the moment manual.

          • 2. Re: Sticky Connections

            Hi,

             

            I got the following answer from McAfee support:

             

            This is calledasynchronous routing and it will work if you:
            1) create a stateless, bi-directional service to use in your rule (may work)
            or
            2) create a route back out your ISP2 interface so this traffic knows to go backout the interface it came in on (will work for sure)

            The best thing to do is number 2. These connections do not work by defaultthrough the firewall, since this is not how routing works in general.

             

            I´d appreciate if anyone can guide me with an example of configuration.

             

            Thanks!

            • 3. Re: Sticky Connections
              martin.dimov

              Hi,

               

              option 2 should work. Could You check it with support how to configure it? I do not know what they mean but I am curious about their answer.

               

              Regards

              • 4. Re: Sticky Connections
                sliedl

                Puga,

                 

                This is what you wrote to me:

                 

                We did an easy test, creating a policy allowing terminal server to the IP of the interface em5 (Backup ISP) and redirecting this traffic to an internal host.
                The test was unsuccessful.

                 

                It seems as if the firewall deny this traffic due to the incoming connection goes through an interface and the outgoing packet goes through another different interface.  The McAfee firewall does not support sticky connections?

                 

                I then wrote to you what you mentioned above: this is called asynchronous routing.  You asked for an example so I wrote this to you:

                 

                A routing example:

                Your firewall configuration:
                external IP_1: 1.1.1.1/24
                default route: 1.1.1.2
                external IP_2: 2.2.2.2/24
                internal IP: 3.3.3.3/24
                web server IP: 3.3.3.4
                No other routes. (This is important.)

                 

                If a computer with IP 4.4.4.4 comes to your external IP_2 interface (2.2.2.2) and gets redirected to 3.3.3.4 (web server) on your internal network, the response from 3.3.3.4 back to 4.4.4.4 will go out your external IP_1 interface (1.1.1.1) because that is where your Default Route is.  It will not go back out the interface 2.2.2.2 (IP_2) because you have NO explicit route pointing any traffic going to 4.4.4.4 to some device on the 2.2.2.2 interface.  If you do not have a route for a destination IP or network your traffic will go out the interface that points to your default route.  That's what's happening in your situation.

                 

                What I didn't explictly say was "Since you do not know exactly what IPs are going to arrive over your ISP_2 interface (e.g. they're not all going to be coming from 4.4.4.0/24 of course) this is not practical in your situation."

                 

                The one thing you could do:  make your ISP_2 router NAT all the connections so they appear to be coming from the router itself.  That way you will always send the return traffic back out the same link it came in on.  You will not see any IPs other than your ISP's router, but this setup will work.

                 

                The firewall simply does not do what you want to do; the feature does not exist on the firewall, unfortunately.

                 

                If you want to request this feature be considered for addition to the firewall you can file a Product Enhancement Request.

                • 5. Re: Sticky Connections

                  Sam,

                   

                  Although your solution works (make your ISP_2 router NAT all the connections), the firewall will be a blind point for detecting the attacks source.

                  please keep in mind that we bought a Security Solution!

                  • 6. Re: Sticky Connections
                    bperez

                    I have the same issue with routing, i have three E1 and my need is to route by protocol to a different ISP (I.E: Streaming to internet, VPN, Web Server), i have too an Small McAfee Snapgear UTM 580 and with a functionality of "Policy Routes" is too easy to implement. How is possible in the enterprise firewall i cant do that!, i have been made 1 year ago the PER to integrate that functionality.

                     

                    policy routes.jpg

                     

                    El mensaje fue editado por: bperez on 30/06/11 04:41:33 PM CDT