BWC Cybersecurity Overlord ✭✭✭
Reactions
Comments
-
Hi @AndyLam yes SMA 1000 Series isn able to act as a Reverse Proxy, but I'am not sure if this counts for anonymous connections as well. Depending on your scenario having an additional layer of authentication before reaching the published application is a good thing, but if you just wanna publish a public site it's a no go.…
-
Hi @Timo that's an interessting question and I did some testing on my TZ 400 (6.5.4.7) for you. When doing a Probe Type Ping or TCP I cannot see any traffic initiated from the Firewall to the remote side. But when selecting the Probe Types ending with Explicit Route I'am able to do the Network Monitor by setting the Local…
-
Hi @AndyLam no NSa/TZ supports reverse proxy, can only be done with SMA if you wanna stick with SNWL on that topic. --Michael@BWC
-
Hi @Arkwright having a different theme will probably not happen, I'am still annoyed about the Classic/Contemporary Situation on the SMA. But by just gzipping the content coming from the Firewall it would help a lot, performance overhead is IMHO minimal considering the new Appliances are so powerful (according to SNWL).…
-
Hi @hbs_Chris if the credentials consists of only a-zA-Z0-9@ it shouldn't be a problem, but other special characters could be a problem. The TZ 470 is on R1262 already? --Michael@BWC
-
Hi @hbs_Chris I guess you changed the Monitor Filter because of my typo and monitored PPPOE-SES and PPPOE-DIS, correct? From what I'am reading out of this trace is, that you're getting an Authentication Error, You're 100% certain that the credentials are correct, any funny characters in there, which might get lost in the…
-
@IanJ IMHO this can be accomplished this way: ssh to appliance configure dhcp-server no enable commit exit --Michael@BWC
-
Hi @djhurt1 Network -> Inteface is the common unique IP for the active appliance, let's assume the X0 IP is 10.4.16.1 then the HA -> Monitoring Addresses for X0 could be as following: Primary will be available from the X0 via 10.4.16.14 and the Secondary via 10.4.16.15. Just to make sure that you're accessing the Firewall…
-
Hi @djhurt1 if we're talking HA then the term Virtual Interface isn't a real setting, it's just the active Interface. Don't get it confused with the real Virtual Interface which is a VLAN Interface. Like mentioned before, Network -> Interfaces holds the active Appliance IP (Cluster IP), which could be either primary or…
-
Hi @network_ninja to say for sure what happened we need to put the packet in context. But it is my understanding that "na" isnt't showing some form of block therefore the packet is passing through. Events for "IKEv2 Received Dead Peer Detection Response" are also marked with fw_action="na" for example, which is clear that…
-
Hi @network_ninja the NA just means "not associated with a packet, firewall action is Not Applicable", which means the Firewall did not do any action on the packet. Other Actions are forward, drop and mgmt, which a self-explaining. --Michael@BWC
-
Hi @djhurt1 the "virtual" IP address is the address you assigned under Network -> Interfaces, the dedicated Primary and Secondary IP addresses are defined in HA -> Monitoring for earch Interface and should be therefore in the same subnet as the "virtual" IP. I'ts called virtual, because it can be either active on the…
-
Just another update if anyone cares. It seems that 10.2.0.7-34sv-SMA2517v3 resolves this issue and will be hopefully released in the forseeable future and I can stop self-talking to me on this thread. 🤐 --Michael@BWC
-
Great, at least I'am lucky this time not having an AD 😉 --Michael@BWC
-
Hi @TKWITS the Policy in that case is not using the Dynamic Client Proposal, because both sides having static IP addresses. But did you experienced any trouble having the Dynamic Client Proposal not on-par with the Policy Propoal, despite not using it? I disabled the WAN schedule on the remote-side, so no forced reconnect…