2 Replies Latest reply on May 14, 2014 8:45 AM by tyger

    How to configure Proxy HA & Network Protection (MWG7)

      I had two MWG7s configured as "simple" proxy. My Network Protection rules where set to allow traffic on internal eth and drop everything else

      ha_protect.JPG

       

      This config was working but when I enable Proxy HA then VRRP fails. There is no option to select VRRP protocol in Network Protection config (just TCP or UDP). I would be able to do it using iptables - but how to make this configuration persistent ?

       

      Any ideas?

        • 1. Re: How to configure Proxy HA & Network Protection (MWG7)
          asabban

          Hello,

           

          if you want to use "custom" iptables rules and make them persistent, you will need to manually add them. After you logged on via SSH, put your rules into /etc/init.d/iptables. If you look into that file you will find a start() function. I would try to put the custom rules on top of:

           

          touch $VAR_SUBSYS_IPTABLES

          return $ret

           

          After a restart the rules should be there. There are a few things to notice:

           

          - Be careful and test your changes on a VM if possible. Mistakes in the startup scripts may cause the appliance to become stuck while booting and recovery won´t be too easy

          - This kind of modification is not supported

          - Updates of the OS may cause the changes to be wiped out, since the startup scripts are not migrated during an update

          - Please ensure you file a service request to get an official solution

           

          Best,

          Andre

          • 2. Re: How to configure Proxy HA & Network Protection (MWG7)
            tyger

            All changes to /etc/init.d/iptables will be silently discarded when iptables package is updated.

             

            If you want to make those changes truly persistent I'd recommend to edit /etc/sysconfig/iptables directly  (e.g. add the line "-A INPUT -p 112 -j ACCEPT").

             

            In order to protect your changes from being overwritten by MWG you can make the config file immutable:

            # chattr +i /etc/sysconfig/iptables

             

            Changes to Network Protection via UI will not be applied to the configuration file after this! To make the config file writeable again use

            # chattr -i /etc/sysconfig/iptables.

             

            Cya, Ed