According to McAfee HA and Network Protection are mutually exclusive. Because VRRP is a protocol there is no way to configure the proxies to talk to each other via VRRP through Network Protection. They have put an enhancement request in. I am not willing to use iptables at the OS level to do this so I guess I will do it the old fashioned way through ACL's off the proxies. Seems a little silly. Seems even sillier when McAfee says "not too many people use Network Protection are you sure you need it?" I will tell the assessor who dinged me that and see what he says.
Modifying iptables to handle this at the OS level ought to be relatively easy. We don't use proxy HA, but my guess is that MWG is utilizing keepalived. If my guess is correct, the following information should be accurate, but I highly recommend testing in a non-production environment.
There are two main things that you need to permit:
- the VRRP protocol (IP proto 112)
MWG may overwrite the entries if you add them to /etc/sysconfig/iptables. Instead, add them to the /etc/init.d/iptables startup script. This modification will need to be re-applied after any upgrade activities.
The core network protection configuration doesn't modify the FORWARD or OUTPUT portions of the configuration so assuming that your Network Protection configuration via the GUI is set to Input policy Drop and the interface over which Proxy HA is communicating is eth0, you can add the necessary entries after the #Load additional modules (helpers) line and before the if [ -n "$IPTABLES_MODULES" ]; then line:
# Load additional modules (helpers)
# INSERT MODIFICATION LINES HERE
# permit multicast inbound on eth0
INPUT -i eth0 -d 126.96.36.199/8 -j ACCEPT
# permit ip proto 112 (vrrp) inbound on eth0
/sbin/iptables -A INPUT -p 112 -i eth0 -j ACCEPT:
if [ -n "$IPTABLES_MODULES" ]; then
You might be able to further tighten the multicast rule down by specifying a multicast source address in the keepalived configuration, but my guess is that MWG will overwrite that file if you modify the HA configuration so that probably won't survive