mroszkowski
Contributor
Contributor

vShield Edge and App in concert

So, I have both vShield App and vShield Edge deployed and they're causing me a bit of a headache.  I'm hoping this celebrated computer connoisseur community can constructively comment!

What I'm trying to do is construct an application deployment segmented from the rest of my networks.  The VMs inside this "application" should be able to talk amongst themselves.  Only a single VM is allowed out to the Internet, via the vShield Edge (which will eventually perform load balancing.)  All the VMs have filtered access to specific services on the "Management" network (DNS, Update server, code repositories, etc) so they can be updated and managed automagically.  I'm given to believe that the below set-up should do what I want.  (Pro-tip: it doesn't)

Example setup (names changed to protect the innocent):

Three virtual machines:

  • Hades - MQ Message Bus
  • Anubis - HTTP Proxy and Tomcat Java Application Server
    • Listens on ports 10081 and 10443 for http and https connections.
  • Freyja - Database

One vShield Edge: vse-underworld with three interfaces:

  • Outside - 192.168.0.20 /24 (pgDMZ)
  • Mgmt - 10.10.0.15 /24 (pgMgmt)
  • Inside - 172.16.0.1 /26 (pgUnderworld)

Three Port Groups:

  • pgDMZ - Vlan 10 - For traffic traffic coming in from the Internet
  • pgUnderworld - Vlan 20 - "internal" traffic between the three servers above
  • pgMgmt - Vlan 999 - Management subnet with things like internal DNS, local YUM Repo, etc...

Network Map:

sample-setup.png

I have set up the vShield Appliance FW to block traffic from pgUnderworld not destined for pgUnderworld.

SourceDestinationServiceAction
pgUnderworldpgUnderworld (Negated)anyBlock

I have set the vShield Edge vse-underworld with the following NAT rules:

ActionInterfaceOrig IP AddrOrig PortTran IP AddrTran PortProtocol
SNATmgmt172.16.0.0/24any10.10.0.15 (mgmt interface)anyany
DNAToutside192.168.0.2080172.16.0.5 (Anubis)10081tcp
DNAToutside192.168.0.20443172.16.0.5 (Anubis)10443tcp
DNATmgmt10.10.0.151any172.16.0.5 (Anubis)anyany
DNATmgmt10.10.0.152any172.16.0.10 (Hades)anyany
DNATmgmt10.10.0.153any172.16.0.11 (Freyja)anyany

And the following firewall rules:

NameSourceDestinationServiceAction
ALLOW ICMPany:smileyinfo: vse

ICMP Echo

ICMP Echo Reply

Accept
ALLOW HTTPS TO APPanyip-anubis (172.16.0.5)

HTTP

HTTPS

Accept
ALLOW MGMT TO INTERNALnet-mgmt (10.10.0.0 /24)net-underworld (172.16.0.0 /24)

HTTP

HTTPS

SSH

PostgresSQL

Accept
ALLOW INTERNAL TO YUM REPO:smileyinfo: internalip-host-yum-repo (10.10.0.10)

HTTP

HTTPS

Accept

What works:

  • Access from the internet to the Internal Application (via the both the physical firewall and the vShield Edge)
  • Access from the Management network to the individual NAT'd IP addresses (10.10.0.5[1-3])

What doesn't work:

  • Access from the "internal" hosts (Anubis, Freyja, and Hades) to the yum repository on the Management port group (10.10.0.10)
    • My understanding has this traffic's source IP being translated to 10.10.0.15 by the vShield Edge and then being put on the pgMgmt port group
    • However, when checking the Flow Monitoring on the vShield Manager, I see this traffic being blocked by the vShield App rule!

I'm really hoping to keep my vShield App rules as simple as possible as all these rules are going to have to be built by work-flows eventually.

Any suggestions?

0 Kudos
0 Replies