3 Replies Latest reply on May 26, 2015 7:58 AM by b374

    Need help with SMC iptables

    b374

      Our support resource has not been much help to us here so I have decided to turn to the community for help.

       

      We have installed an SMC (Security Management Center) on CentOS 7 x86_64 along with a 1065-1-C1 NGFW appliance for purposes of testing functionality and workflow before purchasing the product.

       

      The issue that we are having is that whenever we configure iptables to allow communication from the SMC to the NGFW we lose all connectivity.  We have gone through the installation documentation and have reviewed the ports that are stated to be required.  The solution that we were given from PreSales was to disable iptables in order to gain functionality of the solution.  That however is unacceptable considering that we are testing the product how we will be using it in a production environment.

       

      My question to everyone here is what ports actually need to be open in iptables to allow the solution to function?

        • 1. Re: Need help with SMC iptables
          thyvarin

          Hi,

           

          Ports needed are the ones reported in the Administrator's Guide and online help:

          Security Engine Ports

           

          To allow communication between NGFW engines and SMC servers, following ports need to be opened on SMC:

           

          Outbound from management server to NGFW engines:

          636 -- LDAPS -- for internal user database replication

          4950 -- remote upgrade -- to allow remotely upgrading engines via SMC

          4987 -- management connection -- used for sending commands from SMC to engine

          15000 - blacklisting -- to send blacklist entries from SMC to engines (I'm not 100% sure this is still used or is mgmt connection used for this)

           

          Inbound from NGFW engines to management server:

          3021 -- initial contact -- used for establishing management contact to get certificate for engine

          3023 -- backup log connection

          8906 -- reverse management connection -- management connection used when FW engine has e.g. dynamic IP address on control interface or if single node is configured with "Node-Initiated Contact to Management Server" setting (should be used only when FW is behind dynamic NAT)

           

          Inbound from NGFW engines to log server:

          3020 -- log connection -- used by engines to send logging and status monitoring data to log server

           

          I of course don't know how you tried configuring the iptables rules on your Linux SMC server, but I do remember seeing problems with SMC installed on Windows, where allowing traffic based on the services on Windows Firewall wasn't enough -- instead you had to allow connections based on ports used. I'm not much of iptables expert so I'm not sure if it's even possible on iptables to allow connections based on service, but I don't see any reason why adding iptables rules based on port would not work.

           

          BR,

          Tero

          • 2. Re: Need help with SMC iptables
            thyvarin

            Hi,

             

            I also tested with lab SMC running 5.8.3 on 64-bit CentOS 6.5, that everything works with proper iptables rules. These rules should be enough to allow inbound connectivity to SMC:

             

            iptables -A INPUT -p tcp --dport 3020:3023 -j ACCEPT

            iptables -A INPUT -p tcp --dport 8080:8081 -j ACCEPT

            iptables -A INPUT -p tcp --dport 8902:8929 -j ACCEPT

            iptables -A INPUT -p tcp --dport 8988:8989 -j ACCEPT

             

            I also added following rules for 3rd party device monitoring:

             

            iptables -A INPUT -p udp --dport 5162 -j ACCEPT

            iptables -A INPUT -p udp --dport 5514 -j ACCEPT

            iptables -A INPUT -p udp --dport 2055 -j ACCEPT

             

            BR,

            Tero

            • 3. Re: Need help with SMC iptables
              b374

              We had missed one service port due to dyslexia.  That is always irritating.  But that you Tero for your input it was correct and now there is some documentation that is hopefully easily found on the forum.