Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 585 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disabling of Management Port

BeEf

Hello,

I have some issues with the management port which is in the same network as a management network that I want to "hide" behind the firewall.



I changed some routing (on 10 GBit Port) with resulted into two interfaces on the firewall in the same network and some (asynchronus routing issues).

XG550_RL02_SFOS 18.5.3 MR-3-Build408# route -e
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
...
172.21.12.0 * 255.255.255.0 U 0 0 0 PortMGMT2
172.21.12.0 * 255.255.255.0 U 0 0 0 LAG02.200


Disconnecting the PortMGMT2 seems not to help. Can it be disabled? How?
For the moment I chaned the ip from 172.21.11.81 to 172.21.13.81.

If I connect a device (172.21.13.1/32) on the management port (172.21.13.81) there will be NO rule required to access 172.21.13.0/24 from  a client on 172.21.13.0/24 right?

Regards
BeEf



This thread was automatically locked due to age.
  • 0

    What is your goal in the End? You could potentiell work with a Network Bridge, if you want to have the same IP/Subnet on the Management Ports. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello First I had an ip on the management interface configured in the management network that was routed on a  switch on each node of the cluster.

    Now we want to route the management network on the firewall itself as a VLAN on an 10 GBit/s interface in order to be able to "hide" it and being able to control the access to the firewall on the firewall.

    For me it looks like the firewall uses the 1 GBit MGMT Network even if disconnect the cable. Only changing the IP to another network helps. However I do not really want to create a separate network for firewall managment.

    Another obstacle seems to be that after we changed the routing it seems not to be possible to access the passive firewall of the management interface of the cluster once we changed the routing to the firewall. This was monitored before because a few updates back we had issues with freezing of hardware (in this case it was no longer reachable on the management interface).

    To be honest I don't like bridging and I guess it wont solve our problem.

    To make this a little bit more clear:

    Mangement Interface of 1st firewall 172.21.12.81. 
    Management Inteface of 2nd firewall 172.21.12.82.

    10 GBit/s Interface (actually 2*10 GBit/s LAG)
    Subnet mask 255.255.255.0
    Zone MGMT
    Gateway on 10 GBit/s 172.21.12.5     (used by all devices in the management network (vmware server, iLO/iDRAC boards, SAN management, ...)

    (This seems also lead to asynchronous routing which seemst not to be visible on the firewall itself. I was not able to see dropped packets or anything in the log however the communication seems to go from external network - 172.221.12.81 (management interface comes first) - device in 172.21.12.0/24 - which sends the answer throught it's default gateway.

    Regards,
    BeEf

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML