Comware Based

MSR1002-4 Zone firewall

 
SOLVED
Go to solution
Rob_Dean
Advisor

MSR1002-4 Zone firewall

Hi

I'm trying to set up a zone firewall on a MSR1002-4, following these instructions from the commware 7 guide.

# Add interface GigabitEthernet 1/0/1 to security zone Trust.
<Device> system-view
[Device] security-zone name trust
[Device-security-zone-Trust] import interface gigabitethernet 1/0/1
[Device-security-zone-Trust] quit

# Add interface GigabitEthernet 1/0/3 to security zone Untrust.
[Device] security-zone name untrust
[Device-security-zone-Untrust] import interface gigabitethernet 1/0/3
[Device-security-zone-Untrust] quit

# Configure ACL 3500 to permit IP traffic.
[Device] acl advanced 3500
[Device-acl-ipv4-3500] rule permit ip
[Device-acl-ipv4-3500] quit

 

When I add (in my instance Vlan-interface-1) to the trust zone I loose all connection to the router, except via direct console cable (no SSH, telnet or web interface). The only way I can gain connection (and functioality!) is to remove Vlan-interface-1 from the trust zone. 

Does anyone have any experience in configuring the zone firewall on this router? I'm assuming that I should have some kind of firewall enabled if possible.

15 REPLIES 15
akg7
HPE Pro

Re: MSR1002-4 Zone firewall

Hello,

Is Vlan-interface 1 the part of management access?

Thanks!

Note: While I am an HPE Employee, all of my comments (whether noted or not), are my own and are not any official representation of the companyAccept or Kudo
Rob_Dean
Advisor

Re: MSR1002-4 Zone firewall

I'm not sure what you mean. As long as Vlan-interface 1 isn't added to the trust zone I can manage the router via web, ssh etc. As soon as I add that interface to the trust zone I can no longer manage it except via console. Further to that I loose all conectivity between Vlan-interface 1 and the WAN port (all internet access fails).

I tried adding Vlan-interface 1 to the managment zone but that makes it loose all conectivity as well.

 

Ivan_B
HPE Pro

Re: MSR1002-4 Zone firewall

Hi @Rob_Dean !

From the configuration details provided it is hard to understand relation between Vlan-interface1 and GE1/0/1 (both are in 'trust') If the traffic that is dropped is flowing between those two interfaces, then it's expected. Packets between two interfaces that are in the same security zone are discarded by default. As well as traffic between interface in security zone and interface that is not in any zone:

security_zone.png

If you want intra-zone traffic to be allowed by default, use the following command:

 

system-view
security-zone intra-zone default permit

 

 If you need to allow traffic between different security zones, 'trust' and 'untrust' in your case, then you need to create a zone pair and allow the traffic you need explicitly as by default traffic between two interfaces in different security zones is not allowed.

 

I am an HPE employee

Accept or Kudo

Rob_Dean
Advisor

Re: MSR1002-4 Zone firewall

Third time replying to this will hopefully work!

I'm new to this so learning as I go along.

It looks by default there is a intra-zone traffic rule set up. (I can post the config if needed)

So, to enable the zone firewall I need to do the following:

Add interface GigabitEthernet0/0 (WAN) to the untrust zone

Add interface Vlan-interface1 (LAN) to the trust zone

Add a zone pair to allow traffic between the two

Does that look right so far?

Ivan_B
HPE Pro

Re: MSR1002-4 Zone firewall

Yes, it seems to be correct logic, but there is a catch.

Our configuration guides do not state it explicitly, but zone pairs are always uni-directional. If you check Fundamentals Configuration Guide for your router, you will see in the "Security zone configuration example" there is one feature called ASPF. It is not very obvious from the first glance why it is there in the zone pair configuration, so let me try to explain.

If you create just one zone-pair with source 'trust' and destination 'untrust' having an ACL applied, this will regulate ONLY traffic from 'trust' to 'untrust' zone, but not the one from 'untrust' to 'trust'. So if you ping a server on the Internet ('untrust') from a PC in 'trust' zone, then ICMP requests will be allowed (trust->untrust), but replies will be blocked, as 'untrust'->'trust' policy is not defined and traffic is discarded. Of course we can configure untrust->trust zone pair, but for many applications having two zone-pairs configs between each zone pair in order to regulate traffic in both direction is an akward solution. Here comes ASPF which basically is a stateful packet inspection and connection tracking mechanism. (FYI - There is predefined ASPF policy '1' and it inspects FTP packets and packets of all transport layer protocols, but it does not perform ICMP error message check or the TCP SYN packet check. but you can create more specific policies if you wish.)

So instead of having two zone-pairs - trust->untrust and untrust->trust, you can have only trust->untrust with ASPF applied. Of course you still need permissive ACL as well, because ASPF just tracks connections, but does not deny or permit traffic. So how it works - all outgoing packets from 'trust' to 'untrust' will be allowed by the ACL AND inspected by ASPF. ASPF will create state records for each allowed connection in the connection tracking database and when host on 'untrust' side will reply, this traffic will be allowed to the 'trust' zone, because firewall already knows it is just a reply to a traffic initiated (and allowed) from 'trust' zone. This is why in configuration examples you have ASPF.

However, if you want to be able to initiate traffic from 'untrust' to the 'trust' zone, like to have management access from the Internet to the router, then you will need to create zone pair with source 'untrust' and destination 'trust' and apply an ACL that will allow SSH/Telnet/HTTPS.

Summarizing:

So, to enable the zone firewall I need to do the following:

Add interface GigabitEthernet0/0 (WAN) to the untrust zone

YES

Add interface Vlan-interface1 (LAN) to the trust zone

CORRECT

Add a zone pair to allow traffic between the two

Sure, but it is more like this:

- Option A. You need to block all incoming traffic from 'untrust' to 'trust' if that is not a response to a traffic initiated previously from the 'trust' zone. In this case create 'zone-pair security source trust destination untrust', assign to it an ACL with 'rule permit ip' and assign ASPF policy 'aspf apply policy 1'. If you want custom policy, create it and then apply instead of '1'

- Option B. You need to block all incoming traffic from 'untrust' to 'trust' if that is not a response to a traffic initiated previously from the 'trust' zone, but there is one exception - incoming SSH/Telnet traffic must be allowed. 
- Step 1. In this case create 'zone-pair security source trust destination untrust', assign to it an ACL with 'rule permit ip' and assign ASPF policy 'aspf apply policy 1'. If you want custom policy, create it and then apply instead of '1'
- Step 2. create 'zone-pair security source untrust destination trust', assign an ACL to the zone-pair that will permit explicitly the desired management protocol/-s.

Hope this helps!

 

I am an HPE employee

Accept or Kudo

Rob_Dean
Advisor

Re: MSR1002-4 Zone firewall

Thanks @Ivan_B , a wonderfull explination.

I went through and created the zone pair as suggested (option a) and also another zone pair (trusted to local) as I found I lost web managment from the LAN to the router. So far so good. But then I lost internet connectivity and noticed that GigabitEthernet0/0 was obtaining a strange IP (it is set to be configured by DHCP from the internet provider via a bridge modem). I removed GigabitEthernet0/0 from the untrusted zone (and Vlan-interface1 from the trust zone)  and it pulled the correct IP and everything is working again.

Any idea as to why it pulls a strange IP when added to that zone?

Ivan_B
HPE Pro

Re: MSR1002-4 Zone firewall

Do you remember what was that IP address? Did it look like 169.254.x.x ?

I am an HPE employee

Accept or Kudo

Rob_Dean
Advisor

Re: MSR1002-4 Zone firewall

Yes, from memory it was something like that. So does that mean it's not pulling an IP from the external DHCP server and so defaulting back to an 169.254.x.x IP instead?

Ivan_B
HPE Pro

Re: MSR1002-4 Zone firewall

If so, this was an automatically self-assigned IP address. If DHCP client can't get IP from DHCP server, it assignes to itself a random IP from 169.254.0.0-169.254.255.255 range... The question is why 'untrust' interface can't get IP from the ISP, since we technically have no inter-zone traffic here, no even intra-zone, the DHCP is initiated by Gig0/0 and terminated on the Gig0/0, everything stays inside the zone... Do you have any 'packet-filter' statements on the Gig0/0 itself? 

I am an HPE employee

Accept or Kudo