Questo sito utilizza cookie di profilazione (propri e di terze parti) per ottimizzare la tua esperienza online e per inviarti pubblicità in linea con le tue preferenze. Continuando a utilizzare questo sito senza modificare le tue preferenze acconsenti all’uso dei cookie. Se vuoi saperne di più o negare il consenso a tutti o ad alcuni cookie clicca qui>
The website that you are visiting also provides Arabian language. Do you wish to switch language version?
يوفر موقع الويب الذي تزوره المحتوى باللغة العربية أيضًا. هل ترغب في تبديل إصدار اللغة؟
The website that you are visiting also provides Russia language Do you wish to switch language version?
Данный сайт есть в английской версии. Желаете ли Вы перейти на английскую версию?
Customer is having the following topology. He opened a ticket because although he enabled service-manage https onVLANIF202 on both firewalls, he was able to connect via WebUI only to Firewall B.
Active device configuration:
ip address 192.168.202.247 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.202.254 active
service-manage https permit
service-manage ping permit
ip address 10.255.1.28 255.255.255.248
vrrp vrid 2 virtual-ip 10.255.1.30 active
service-manage ping permit
We have set traffic statistics on Firewall A and we have seen that Firewall A drops the packets because service-manage policy is missing.
Service-manage policy, requires that if the inbound interface is not the managed interface, you need to add service-manage also on inbound interface of the service packets.
Although we fixed the problem, customer still wanted explanation why Firewall A needs service manage on GI 0/0/1 + Vlanif202 and on Firewall B is enough to put only on Vlanif202.
1. Customer want to access FW_A.
a) Packet flow:
- Packet arrives at router. Router looks at the IP routing table . Next hop is 10.255.1.3
- Since the next hop is 10.255.1.30, Packet arrives at FW_A ( he controls the Virtual IP of the group
- The destination is 192.168.202.247, which is the physical address of Vlaif202 of Fw_A
- Inbound interface of packets is Gi 0/0/1,
- Destination is 192.168.202.247 => you need to put service-manage on both
b) Packet flow:
- Packet arrives at router. Router looks at the IP routing table . Next hop is 10.255.1.30 ( same as first case )
- Packets arrive again at Fw_A but this time, the destination of the packets is physical IP address of Vlaif202 on Fw_B
- Fw_A looks in the routing table and sees that the destination is not him, but a host on the same VLAN202.
- He forwards the packets in the VLAN202, because he knows the 192.168.202.248 is in same VLAN
Conclusion: Fw_B receives the packets from Fusion_A
- Inbound interface:Vlan202
- Destination Vlanif ip address => you need to put service-manage only on Vlanif since this is also inbound+destination
Customer needs to add service-manage permit https on both Gi 0/0/1 interfaces on both firewalls. Even if on firewall B is not needed, in case firewall A goes out of service, he will be unable to connect to firewall B.