BWC Cybersecurity Overlord ✭✭✭
Reactions
Comments
-
@fre my best guess would be, that you did not enabled "Allow Management traffic" in the 2nd rule which is necessary if you need to talk to the Firewall. Altering the default Access Rule is a common way to limit access. --Michael@BWC
-
@fre delete your IP test Rule create two address objects with the IP addresses from your ISP create an address group and insert the two address objects from above alter the ping rule in your WAN-WAN access rules and select the address group as source --Michael@BWC
-
@Simon_Weel when fiddling with DPI-SSL it's always advisable to completely close any browser instance. This kind of exclusion only makes sense if the destination is static. Figuring this stuff out is one of the downsides of DPI-SSL. --Michael@BWC
-
@Nikuda I'am glad you've got that resolved :) --Michael@BWC
-
@janvic123 are both NSA5600 close by or on seperate locations, could they be connected via Ethernet or do they have to be connected via WAN? If there are close to each other you could use a network interface on each Appliance to span a transfer network between both and route your traffic accordingly. By creating a seperate…
-
@Nikuda even better, then we can rule that out, Try the Packet-Monitor, maybe crank up Wireshark on the Notebook too, check the routing table on your Notebook and make sure your Windows Firewall isn't filtering anyting out. --Michael@BWC
-
@Simon_Weel I have not seen this before but did you tried to exclude an endpoint from the security services, this would give you a clear view if it's related to that and start from here. Without security services the chances are nil that the TZ is interfering. It might be also related to some kind of Endpoint Security,…
-
@Nikuda just crank up a Packet-Monitor and look for ICMP traffic, that'll show you if anything is getting dropped. If nothing gets dropped and you just see the "ECHO REQUEST" but no "ECHO REPLY" you probably have a routing problem or the switch isn't configured correctly. I assume X0 and X2 are connected to a switch and…
-
@wdubose as you mentioned if you don't have any specific Policies (Access, Routing, NAT) bound to X0 you should be good to go and your plan sounds solid. Also check if you have used the default X0 address objects somehow. --Michael@BWC
-
@artyomtsybulkin you're listed as a partner and probably should know basic stuff like this already, labeling the reply from @Bbialy as useless isn't a helpful thing to do, I would call it rude and might reduce the chance that somebody else is willing to help. The way @Bbialy described it is IMHO correct, because the SNWL…
-
@davidmdlp85 what exactly you're looking for? This KB-article seems to be very comprehensive. --Michael@BWC
-
@StuartBooth I did not raised this situation with Support, because it can be a challenging to deal with sometimes and I wasn't ready for that 🤐 IMHO DPI-SSL is on the downfall and the time I'll spend with it is decreasing. --Michael@BWC
-
@LexES you can use different VLANs or just different ranges, IMHO doesn't matter, because PBR works on the Source Address. Policy -> Rules and Policies -> Routing Policies. A routing policy would look like this: SRC: Range1 / DST: Any (0.0.0.0/0) / Interface: X1 / GW: X1 IPv4 Default Gateway SRC: Range2 / DST: Any…
-
@StuartBooth I can confirm similar trouble even on a NSa 4700 with activated DPI-SSL. I didn't had the time to dig into it, but it looked that sites with heave usage of ADs re impacted most, like newspaper sites etc. This might be the same in your case. Browser Developer tools are helpful here, because you could see in the…
-
@LexES if you don't wanna stick all WAN interfaces in the only available LB Group you need to configure Routing Rules, what is called Policy Based Routing. Or you could use SDWAN to spread the traffic based on performance values. It depends what you try to accomplish and how to use the WAN links. If you have Basic Failover…