topic Re: Query regarding ZBFW configuration in Network Security

Query regarding ZBFW configuration

darren-carr — Wed, 01 May 2019 21:21:45 GMT

Hi community,

We are experiencing an issue with regards to a specific flow we are trying to permit through and then back in through the ZBFW we have deployed. The flow is defined below. The flow is slightly unusual in that we are using TCP traceroute towards the destination and would like to allow ICMP TTL Exceeded back in. This is to provide path visualisation for a monitoring tool we have deployed in our environment. For the IN traffic source, the source is any as this relates to routed hops in the path towards the destination.

OUT: src_ip: 10.1.1.1, src_port: random, dst_ip: msft-o365, dst_port: 443

IN: src_ip: any, src_port: N/A, dst_ip: 10.1.1.1

We have deployed the configuration below. The initial HTTPS communication is permitted and is working (we know this as we have other tests enabled to HTTPS targets) but the ICMP TTL Exeeded we are not getting back.

I'm looking for some advice as to what might be causing this and what we need to adjust to permit this flow?

ip access-list extended ACL-TEST-AGENTS
permit ip host 10.1.1.1 any
permit ip any host 10.1.1.1
!
ip access-list extended ACL-TEST-PROTOCOL
permit icmp any any
deny ip any any
!
ip access-list extended ACL-TRUSTED-LAN
permit ip 10.1.1.0 0.0.0.255 any
!
ip access-list extended ACL-ICMP
permit icmp any any unreachable
permit icmp any any source-quench
permit icmp any any time-exceeded
deny ip any any
!
class-map type inspect match-all CLASS-IN-OUT
match access-group name ACL-TEST-PROTOCOL
match access-group name ACL-TEST-AGENTS
match protocol icmp
!
class-map type inspect match-all CLASS-OUT-IN
match access-group name ACL-TEST-PROTOCOL
match access-group name ACL-TEST-AGENTS
match protocol icmp
!
class-map type inspect match-all CLASS-ICMP
match access-group name ACL-ICMP
match protocol icmp
!
class-map type inspect match-all CLASS-IN-OUT-HTTPS
match access-group name ACL-TRUSTED-LAN
match protocol https
!
class-map type inspect match-all CLASS-IN-OUT-HTTP
match access-group name ACL-TRUSTED-LAN
match protocol http
!
class type inspect CLASS-IN-OUT
inspect
!
class type inspect CLASS-ICMP
pass
!
class type inspect CLASS-OUT-IN
pass

Thanks

Re: Query regarding ZBFW configuration

Rob Ingram — Thu, 02 May 2019 08:31:34 GMT

Hi,
Can you provide the output of the configuration of your zone-pairs and policy-maps please.

Re: Query regarding ZBFW configuration

darren-carr — Thu, 02 May 2019 08:36:34 GMT

Hi, sure, please see below

policy-map type inspect POLICY-TRUSTED-2-INTERNET
class type inspect CLASS-IN-OUT
inspect
class type inspect CLASS-ICMP
pass
class type inspect CLASS-IN-OUT-HTTP
inspect
class type inspect CLASS-IN-OUT-HTTPS
inspect
class type inspect CLASS-IN-OUT-NON-STD-HTTP-HTTPS
inspect
class class-default
drop log
policy-map type inspect POLICY-INTERNET-2-TRUSTED
class type inspect CLASS-ICMP
pass
class type inspect CLASS-OUT-IN
pass
class class-default
drop
!
zone security trusted
zone security internet
zone-pair security ZP-INTERNET-2-TRUSTED source internet destination trusted
service-policy type inspect POLICY-INTERNET-2-TRUSTED
zone-pair security ZP-TRUSTED-2-INTERNET source trusted destination internet
service-policy type inspect POLICY-TRUSTED-2-INTERNET
!

Re: Query regarding ZBFW configuration

Rob Ingram — Thu, 02 May 2019 09:43:52 GMT

I would imagine the inbound ICMP time-exceeded would match correctly and be permitted.

What OS are you running the traceroute on? Can you run a packet capture, guide here. Upload the pcap for review

Does the ICMP time-exceeded match the ACL and policy map?

"show policy-firewall stats zone-pair ZP-INTERNET-2-TRUSTED"
"show ip access-list ACL-ICMP"

Re: Query regarding ZBFW configuration

darren-carr — Tue, 14 May 2019 20:43:08 GMT

Hi,

Apologies for the delay. The ZBF that I created the post for is deployed the other side of the world so I have had to simulate the configuration in our lab. I've managed to do this now and have the captures.

The trace is being executed on a ThousandEyes agent (Linux based). The trace is using TCP. In this case it is using HTTPS for the SYN with an incremental TTL. As part of the configured trace the agent executes three traces. The agent attempts to re-use the same source port for each of the traces as it executes. So for example, it would use source port 50001 with a TTL of 1, it would receive the response back then use the source port of 50001 with a TTL of 2, etc.

We are seeing no hits on the ICMP ACL.

So in our scenario we are sending a TCP (HTTPS) payload and expecting an ICMP TTL exceed back. I have captured either side of the firewall and we are seeing HTTPS going out towards the target (from another test) but it appears as though the ZBF is blocking the packets we are using for the TCP traceroute as I don't see these coming out of the ZBF on the INTERNET side of the ZBF. We have proven the ZBF is blocking the traffic as when we change the inside (TRUSTED) interface to (INTERNET - effectively disabling the policy) these packets flow through. So it appears as though the ZBF is dropping these packets. The logging does not reveal much on the TRUSTED-2-INTERNET policy (I need to get the logging adjusted by the ISP).

Is this an expected behaviour and do we need to alter the config or enable something to permit this in the ZBF? We tried adjust the HTTPS rule to 'pass' from 'inspect' but this did not appear to have the desired effect.

Many thanks