Management via HTTPS

Created: Aug 20, 2019 19:39:30Latest reply: Aug 21, 2019 17:45:49 462 8 0 0
  Rewarded Hi-coins: 0 (problem resolved)

I have a query based on the management of a USG6330. We have a WAN to which we have fixed an IP in this interface we do not have any type of access (HTTP, HTTPS, SSH, TELNET).


211818cyrlfue0fbezyfg3.jpg?photo_2019-08

If we do not have the HTTPS service authorized by this IP, why could I get there?


  • x
  • convention:

Featured Answers
IbrYsf
Created Aug 21, 2019 12:19:36 Helpful(0) Helpful(0)

Interface access control takes precedence over security policies.
This means that an administrator can use an access control-enabled interface to access a FW even if no security policy is configured for communication between the zone of the interface and a local zone.

I believe that it would be routing issue as mentioned earlier.
  • x
  • convention:

IbrYsf
IbrYsf Created Aug 21, 2019 12:25:15
although you are advised as @chenhui posted to create a "security policy to deny these traffic" @wissal please let us know if you are accessing from LAN or from the Internet?  
All Answers
IbrYsf
IbrYsf Created Aug 21, 2019 01:37:02 Helpful(0) Helpful(0)

Hi @Wissal;

Is this real IP being accessed from LAN or from the Internet?

I see you unchecked all management access protocols, that should prevent access from the Internet.

from LAN, I guess Routing will forward your traffic, accompanied with the security policy configured to allow access from LAN to Internet.
  • x
  • convention:

chenhui
chenhui Admin Created Aug 21, 2019 01:57:08 Helpful(0) Helpful(0)

@wissal hello,
are you trying to figure out why you are allowed to access the firewall through web GUI though the HTTPS and HTTP service are disabled on this interface?
  • x
  • convention:

wissal
wissal MVE Created Aug 21, 2019 05:41:35 Helpful(0) Helpful(0)

Posted by chenhui at 2019-08-20 18:57 @wissal hello, are you trying to figure out why you are allowed to access the firewall through web G ...
@chenhui hello,
I don't want to be able to reach him in any way. The query is yes I do not have selected any type of service why let me arrive
  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.
Peterhof
Peterhof Created Aug 21, 2019 08:07:09 Helpful(0) Helpful(0)

Hello!
I just checked my USG 6330. And it is work the same way. Packet tracer says that packets are transmitted to the 127.0.0.1 in the local zone of the USG. And I think that the only way to prohibit that is to implement security policy which will prohibit the packets from the LAN to the WAN IP. But I am not sure about reaction to that configuration.
  • x
  • convention:

I%20am%20an%20IT%20engineer%20in%20the%20State%20Museum%20Reserve%20Peterhof.%20My%20job%20is%20keeping%20alive%20our%20network%2C%20servers%20and%20storages%20solutions%20and%20also%20preparing%20for%20purchasing%20new%20equipment%20and%20server%20software.
chenhui
chenhui Admin Created Aug 21, 2019 09:20:02 Helpful(0) Helpful(0)

Posted by wissal at 2019-08-21 05:41 @chenhui hello,I don't want to be able to reach him in any way. The query is yes I do not have se ...
hi,
the traffic will be direct to device by default, if you want to block the traffic totally, you can use the security policy to deny these traffic.
If you mean you can access the firewall through web GUI while the HTTPS and HTTP are disabled, you are kindly advised to check the configuration if there are corresponding configuration which allowed these traffic.
  • x
  • convention:

IbrYsf
IbrYsf Created Aug 21, 2019 12:19:36 Helpful(0) Helpful(0)

Interface access control takes precedence over security policies.
This means that an administrator can use an access control-enabled interface to access a FW even if no security policy is configured for communication between the zone of the interface and a local zone.

I believe that it would be routing issue as mentioned earlier.
  • x
  • convention:

IbrYsf
IbrYsf Created Aug 21, 2019 12:25:15
although you are advised as @chenhui posted to create a "security policy to deny these traffic" @wissal please let us know if you are accessing from LAN or from the Internet?  
wissal
wissal MVE Created Aug 21, 2019 17:45:49 Helpful(0) Helpful(0)

Hello,
@IbrYsf @chenhui

First of all i want to thanks my friends IbrYsf & chenhui for the support.

Make some access to the public address, then execute the command

display firewall session table verbose destination global 200.x.x.x source global x.x.x.x
display firewall session table verbose destination global 200.x.x.x source global x.x.x.x protocol http

-The first address is the public IP of the USG
-The second address where the access comes from, the test PC.

If there is any session, identify which interface the request is arriving on and based on what policy is allowed.
If there is no session, check with the command:

display firewall session table verbose source global x.x.x.x

-Place the IP with which you are communicating to the USG.


It is possible that your requests are arriving on the LAN and not on the WAN.
If the test PC is on the same network as the USG, the request for access to its public address will arrive not through the public interface but through some other interface on which you can have the HTTP service allowed.


  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login