For your first issue, its a bit hard to understand from your description, are you able to post some screenshots of your config as that might make it a bit easier to understand.
For your second issue, sounds like you still have the ESG Firewall enabled and the traffic is traversing that firewall? Thats why you need to apply the rules to the ESG.
Is it your intention to also firewall all traffic traversing the ESG?
1) I will try and re-document it but it is live and trying to avoid posting accessible info. I think we might have the answer to this but I will post on the findings
2) yes, the default block rule and firewall are enabled if I didn't you can reach the ssh service on the edge devices. This is the only reason that the firewall is enabled on the edge device.
1 person found this helpful
Just going to play devils advocate here, but why do you need SSH access enabled on the ESG? The majority of troubleshooting commands on an ESG can be accomplished via the Central CLI, and for the couple that aren't available, you can grab those via the console.
It would make your life a lot easier.
Regarding the second issue, this is because the ESG is simply just another/different firewall. You have the Distributed Firewall, which handles East/West traffic, and then you go out of the datacenter and you hit a new roadblock (the ESG). If you don't also permit the traffic on the ESG, the traffic will be blocked. If you compare this to two physical firewalls, it makes sense. That's why you should apply the rules to both the DFW and the ESG. The same would probably happen if you apply the rules to the ESG but not to the DFW: then the DFW will block the traffic instead of the ESG.
Thanks Hans this added to the understanding.
1) Have not been able to get to redoing the doc's but the short of it is that we are using the ESG to route all the public networks through while doing DFW. I ended up creating the inbound port access that the hosts needed with a direction of IN only and then did an allow from the ip host blocks if destination was not the router or the host IP block with a driection of OUT only. This simplified the rule sets that we orginaly had we were able to remove the block rule that we had to setup. Not sure this is the best way but deffantly simpler then what we had.
2) We have a tech portal that has tools that the techs can run on the routers/firewall when working on connectivity issues and they use SSH to connect and run the commands. Looking at it deeper I assume that we could chaneg the default block rule onthe ESG to allow and create a rule to block ssh unless if it is not coming from our management ip addresses?