Got it
Huawei Enterprise Support Community
Community Forums Security
[Insider Sharing] Service...

[Insider Sharing] Service manage feature utilization caveat

Latest reply: Oct 2, 2018 13:01:29 1425 3 2 0 1
View the author 1#
Hi Guys, 

I would like to describe a funny situation that I encounter while I was trying to set up SNMP configuration on my USG6000 firewall. 

Here I have a loopback interface which is used as the source interface for traps, which works fine (SNMP 162 outbound). However, the firewall is rejecting every SNMP message (SNMP 161 inbound) sent by our NMS. Here you can see the Loopback 0 configuration, the snmp-agent configuration and the security policy rule that controls the incoming packets towards the firewall, as well as the ACL and the IP address sets used:   \\\ Sorry for the large amount of commands, I'm a CLI freak :) 

interface LoopBack0 
description INBAND_MGMT 
alias INBAND_MGMT_29004_FW 
ip address X.X.1.53 255.255.255.255 
ospf cost 1 
ospf network-type p2p

snmp-agent local-engineid 000007DB7F0000016FD75838 
snmp-agent community read  xxxxxxxxxxx
snmp-agent community write  xxxxxxxxxxx
snmp-agent sys-info contact xxxxxxx
snmp-agent sys-info location xxxxxxxxxxxxx
snmp-agent sys-info version v3 
snmp-agent group v3 v3group privacy  read-view v3view write-view v3view notify-view v3view acl  2020 
snmp-agent target-host trap address udp-domain x.x.30.6 params securityname xxxxxx v3  privacy 
snmp-agent target-host trap address udp-domain x.x.30.6 params securityname xxxxxx v3  privacy 
snmp-agent target-host trap address udp-domain x.x.16.6 params securityname xxxxxx v3  privacy 
snmp-agent target-host trap address udp-domain x.x.6.6  params securityname xxxxxx v3  privacy 
snmp-agent mib-view included v3view iso 
snmp-agent usm-user v3 xxxx v3group  authentication-mode sha xxxxxxxxxx
snmp-agent trap enable ipsec 
snmp-agent trap enable l2tp 
snmp-agent trap enable configuration 
snmp-agent trap enable system 
snmp-agent trap enable standard 
snmp-agent trap enable srm 
snmp-agent trap source LoopBack0 

acl number 2020  
rule 5 permit source xx.x.6.0 0.0.0.255 
rule 10 permit source x.x.22.0 0.0.0.255 
rule 15 permit source x.x.30.0 0.0.0.255 
rule 100 deny 

rule name "INBOUND MGMT UNTRUST > LOCAL" 
policy logging 
source-zone untrust 
destination-zone local 
source-address address-set INBOUND_MGMT  
action permit 

[core]display ip address-set verbose INBOUND_MGMT item 
08:18:00  2016/06/02 
Address-set: INBOUND_MGMT 
Type: object 
Item number(s): 1 
Reference number(s): 2 
Item(s): 
address 0 x.x.30.0 mask 24 

[core]display ip address-set verbose 41  item 
08:18:27  2016/06/02 
Address-set: 41 
Type: group x
Item number(s): 2 
Reference number(s): 2 
Item(s): 
address 0 address-set NMS 
address 1 address-set NMS2 

[core]display ip address-set verbose NMS item 
08:18:47  2016/06/02 
Address-set: NMS 
Type: object 
Item number(s): 1 
Reference number(s): 1 
Item(s): 
address 0 x.x.6.16 mask 32 

[core]display ip address-set verbose NMS2 item 
08:18:51  2016/06/02 
Address-set: NMS2 
Type: object 
Item number(s): 1 
Reference number(s): 1 
Item(s): 
address 0 x.x.6.17 mask 32 
Firewall version

display version 
12:04:39  2016/06/03 
Huawei Versatile Security Platform Software 
Software Version: USG6600 V100R001C30  (VRP (R) Software, Version 5.30) 
Copyright (C) 2013-2015 Huawei Technologies Co., Ltd.. 
USG6650 uptime is 4 weeks, 3 days, 1 hour, 11 minutes 

So everything looks great, but when I'm trying to walk the firewall OIDs, I'm getting a big TIMEOUT. So what's the problem? Dr. WoW can you help me? 

[root@nmS ~]# snmpwalk -v3 -l authPriv -u xxxxx -x AES -X xxxxxx -a SHA -A xxxxxx x.x .1.53:161 IF-MIB::ifAlias 
snmpwalk: Timeout 

Let me show you how I start my investigations:

1. Test ping and SSH connection from my NMS to the firewall.  It looks like it's working. 
[root@nms ~]# ping x.x.1.53 
PING x.x.1.53 (x.x.1.53) 56(84) bytes of data. 
64 bytes from x.x.1.53: icmp_seq=1 ttl=252 time=6.40 ms 
64 bytes from x.x.1.53: icmp_seq=2 ttl=252 time=6.27 ms 

--- x.x.1.53 ping statistics --- 
5 packets transmitted, 5 received, 0% packet loss, time 4005ms 
rtt min/avg/max/mdev = 5.939/6.173/6.409/0.204 ms 
[root@nms ~]# telnet x.x.1.53 22 
Trying x.x.1.53... 
Connected to x.x.1.53.

2. Check the firewall session table, there is nothing related to SNMP. This means that the SNMP get is not reaching the firewall OR the firewall is dropping the packets before setting a session. 
3. At this point I decided to enable firewall traffic statistics to find whether the firewall is dropping packets. How to do this? 

A. Create an ACL to match the communication flow between NMS and USG. 

#                                                                                                                                   
acl number 3999                                                                                                                     
rule 10 permit ip source x.x.30.6 0 destination x.x.1.53 0                                                                  
rule 20 permit ip source x.x.1.53 0 destination x.x.30.6 0                                                                  
#  

B. Enable statistics on the firewall. 

<HUAWEI>system-view                                                                                                                 
14:26:41  2016/06/03                                                                                                                
Enter system view, return user view with Ctrl+Z.                                                                                    
[HUAWEI]diag                                                                                                                        
[HUAWEI]diagnose  
[HUAWEI-diagnose]firewall statistic acl 3999 enable 

C. Try walking the OID again against the firewall. 

D. Check the firewall statistics, collect the output
[HUAWEI-diagnose]display firewall statistic acl  

E. Close statistics. 
[HUAWEI-diagnose]undo firewall statistic                                                                                            
14:29:58  2016/06/03                                                                                                                
Stop the ACL statistic  

So what's there interesting fact I discover in the firewall traffic statistics logs?

the following error, 
...........
Discard detail information: 
  IF_SERVICE_MANAGER_PACKET_FILTER:     6 
............

means that interface service manage module is dropping the packets. 
So let's analyze a little bit deeper:

The firewall loopback interface is routed to my core network via the vlan interface 999. 
interface Vlanif999
ip address x.x.1.1 255.255.255.252 
ospf cost 1 
ospf bfd enable 
service-manage https permit 
service-manage ping permit 
service-manage ssh permit 
#

I decided to consider the alarm from firewall statistics and enable "service-manage snmp permit" under this vlan interface. 

Surprize, the SNMP walk started to work, but checking the firewall session table it shows the traffic flow is not matching any security policy. So, let's put all the information together. 

With the initial service manage configuration, we can consider that there is a command that is denying all the SNMP traffic coming towards the vlan interface
interface Vlanif999
ip address x.x.1.1 255.255.255.252 
ospf cost 1 
ospf bfd enable 
service-manage https permit 
service-manage ping permit 
service-manage ssh permit 
servide-manage SNMP deny
#

As soon as you enable SNMP all this type traffic will bypass security policy engine and will be processed further. 
It's best to disable the service manage function and let firewall process the incoming SNMP traffic through the configured security policies. 
<sysname> system-view 
[sysname] interface Vlanif999
[sysname-Vlanif999]undo service-manage enable 

"Service-manage enable" commands are only used to quickly configure, SSH, Telnet, HTTPS access to firewall in order to avoid configuring security policy, just for easy management. A firewall should control all the incoming traffic flows through security policies, which finally offers better granularity, control and security.

I hope you enjoy reading this. Cheers!

Like (2) Dislike (0) Favorite(1) Share Report
Previous: USG6330 tracert
Next: URL Filtering USG
(0) (0)
2#
Terry_Liusunning
Created Apr 12, 2018 06:27:18

Wow, GREAT!
View more
  • x
  • convention:
(0) (0)
3#
w1
Created Apr 13, 2018 14:35:27

Good, versy helpful
View more
  • x
  • convention:
(0) (0)
4#
Luke_WiFi_Walker
Created Oct 2, 2018 13:01:29

Great post, thank you for the information [Insider Sharing] Service manage feature utilization caveat-2768413-1
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.