2 Replies Latest reply on Dec 29, 2015 7:36 PM by btlyric

    Network Protection in MWG 7.5 Breaks ProxyHA

    clath13

      So I have my MWG's configured for ProxyHA.  When I enable network protection HA fails - my nodes go into conflict state.  I have looked at http://www.ietf.org/rfc/rfc3768.txt and what this tells me is that VRRP is not really port based which is all network protection uses - TCP or UDP.  I have enabled ports 1-65535 between all nodes.  How do you enable Network Protection without breaking the VRRP communication between nodes?

      Thanks,

      Claire

        • 1. Re: Network Protection in MWG 7.5 Breaks ProxyHA
          clath13

          According to McAfee HA and Network Protection are mutually exclusive.  Because VRRP is a protocol there is no way to configure the proxies to talk to each other via VRRP through Network Protection.  They have put an enhancement request in.  I am not willing to use iptables at the OS level to do this so I guess I will do it the old fashioned way through ACL's off the proxies.  Seems a little silly.  Seems even sillier when McAfee says "not too many people use Network Protection are you sure you need it?"  I will tell the assessor who dinged me that and see what he says.

          • 2. Re: Network Protection in MWG 7.5 Breaks ProxyHA
            btlyric

            Modifying iptables to handle this at the OS level ought to be relatively easy. We don't use proxy HA, but my guess is that MWG is utilizing keepalived. If my guess is correct, the following information should be accurate, but I highly recommend testing in a non-production environment.

             

            There are two main things that you need to permit:

             

            - multicast

            - the VRRP protocol (IP proto 112)

             

            MWG may overwrite the entries if you add them to /etc/sysconfig/iptables. Instead, add them to the /etc/init.d/iptables startup script. This modification will need to be re-applied after any upgrade activities.

             

            The core network protection configuration doesn't modify the FORWARD or OUTPUT portions of the configuration so assuming that your Network Protection configuration via the GUI is set to Input policy Drop and the interface over which Proxy HA is communicating is eth0, you can add the necessary entries after the #Load additional modules (helpers) line and before the if [ -n "$IPTABLES_MODULES" ]; then line:

             

            # Load additional modules (helpers)

             

            # INSERT MODIFICATION LINES HERE

            # permit multicast inbound on eth0

            /sbin/iptables -I INPUT -i eth0 -d 224.0.0.0/8 -j ACCEPT

            # permit ip proto 112 (vrrp) inbound on eth0

            /sbin/iptables -A INPUT -p 112 -i eth0 -j ACCEPT:

             

            if [ -n "$IPTABLES_MODULES" ]; then

             

            You might be able to further tighten the multicast rule down by specifying a multicast source address in the keepalived configuration, but my guess is that MWG will overwrite that file if you modify the HA configuration so that probably won't survive