Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1837 Views 12 Replies Latest reply: May 9, 2013 2:05 AM by PhilM RSS 1 2 Previous Next
PhilM Champion 528 posts since
Jan 7, 2010
Currently Being Moderated

Jan 4, 2012 4:40 AM

Intrazone forwarding

I have to confess I am still finding it difficult to understand, configure, and implement intrazone (formerly intraburb) forwarding successfully on MFE v8.

 

Why the very easy, single checkbox, setting in v6 was ever removed is a complete mystery to me.

 

Anyway, the basic scenario I am working with is that MFE has a number of static routes configured and I wish for any client machine using MFE as it's default gateway to be able to benefit from these routes. As mentioned in v6 and earlier, all that was required was to check the "Intra-burb packet forwarding" setting against the internal burb entry and that was that.

 

In v7 it was necessary to create a custom packet filter service and use this to enable intraburb forwarding and then create a second service which was then used in an access rule.

 

As far as v8 is concerned, KB article KB70885 provides us with the CLI command

 

cf agent modify name='TCP/UDP Packet Filter' intrazone_forwarding=yes

 

but then goes on to say nothing more than Intrazone forwarding now works for TCP/UDP filters. Previous discussions threads have indicated that in v8 it is still necessary to create the access rule (along the same lines as v7) but necessarily how that rule should be constructed.

 

I've tried source zone=internal, destination zone=internal, application=<Any>, action=Allow and if the rule is placed anywhere before the Administration group I find myself prompty kicked-out of the Admin Console. If placed after the Adminstration rule group it doesn't stop you from accessing the Firewall, but other things such as site-to-site VPNs then stop working.

 

So, rather than continue to speculate or experiment, as I did when I last came up against this hurdle (see thread from June 2011 on the same subject), do any of the McAfee guys in this community have a template for how this rule should be constructed to allow the Firewall serve its static routes to client machines on the internal zone and where best to place this rule in the rule set to stop it from causing all maner of problems with other services.

 

Many Thanks.

Phil.

  • mtuma McAfee SME 314 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Jan 6, 2012 3:25 PM (in response to PhilM)
    Re: Intrazone forwarding

    Hello Phil,

     

    You are absolutely correct, you have outlined the differences between version 6, 7 and 8 for the intra-burb or intra-zone forwarding option.

     

    I can confirm that you are creating your rule correctly after turning the intrazone_forwarding option on. As you have noticed, if you place this "intra-zone" rule above your Admin Console rule, the "intra-zone" rule picks up your Admin Console traffic and you are not able to connect. Definetly recommend putting your Admin Console rule at the top (ideally just place the "Administration" rule group at the top if possible).

     

    I have not heard of the second scenario where the VPNs stopped working, though, if you think about it logically, if the ISAKMP port 500 or port 4500 traffic hits your intra-zone rule instead of the ISAKMP rule, I can see why it would fail. Have you tried to put the ISAKMP rule at the top as well (or at least above the intra-zone rule)?

     

    To alleviate any issues, I guess the best bet is to put the intra-zone rule at the bottom of your policy, just above the Deny All,

     

    hope this helps.

     

    -Matt

  • gooru4speed Apprentice 130 posts since
    Jul 4, 2009
    Currently Being Moderated
    3. May 2, 2013 1:07 PM (in response to PhilM)
    Re: Intrazone forwarding

    Hello Phil, did you receive any response from Matt about the subjet?

  • mtuma McAfee SME 314 posts since
    Nov 3, 2009
    Currently Being Moderated
    5. May 6, 2013 2:05 PM (in response to PhilM)
    Re: Intrazone forwarding

    Hello,

     

    It's been awhile since I have looked at this.

     

    From reading this again, it seems the concern is that the intrazone forwarding rule, placed above an administration rule, conflicts with it and prevents the administration rule from functioning. There really is no magic way of configuring a rule like this. The key is in the ordering of the rules. If you put an "<any>" service rule with source zone of any and dest zone of any, that rule will "grab" your Administration traffic and not be able to process it properly because it is simply a filter rule. To prevent this rule for conflicting, put it below your administration rule, or somehow configure the rule so that it does not "grab" your Administration traffic. It appears that Phil has locked his rule down to subnets instead of any to prevent the administration traffic from hitting the intrazone rule.

     

    -Matt

  • mtuma McAfee SME 314 posts since
    Nov 3, 2009
    Currently Being Moderated
    7. May 7, 2013 2:40 PM (in response to PhilM)
    Re: Intrazone forwarding

    Interesting. Ok, can you tell me where you have terminated your VPN? Was it in the internal zone or virtual?

     

    -Matt

  • gooru4speed Apprentice 130 posts since
    Jul 4, 2009
    Currently Being Moderated
    9. May 8, 2013 6:59 AM (in response to PhilM)
    Re: Intrazone forwarding

    From a security standpoint it was always advised to terminate VPN tunnels on an virtual zone in order to allow inspection and enforce policies to remote users. I'm sure you know that Phil, can you tell me why your company decided to terminate tunnels on the inside zone?

    Regards,

    JR

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points