Firewall policy

We're using UAG/TMG and it works fine. We have a very basic setup done by the book, File Access and Remote Desktop only.
I need to create a web publishing rule in TMG, I added another public IP address to the external network card, I insure the rule has the listener using the external address I just added.
I created a rule but don't see it hitting, nothing under sessions.
How do you recommend I fix this without hurting my UAG portal?
Resource Allocation failure:
The Web Proxy filter failed to bind its socket to 172.18.20.88 port 80. This
may have been caused by another service that is already using the same port or
by a network adapter that is not functional. To resolve this issue, restart the
Microsoft Firewall service. The error code specified in the data area of the
event properties indicates the cause of the failure.
The failure is due to
error: An attempt was made to access a socket in a way forbidden by its access
permissions.
and
WPP filter conflict detected:
Description: Forefront TMG detected Windows Filtering
Platform (WFP) filters that may cause policy conflicts.
I though using a different IP address would solve this?
HELP PLEASE!

Hi,
you must create the Web Publishing (UAG Trunk and portal applications) in the Forefront UAG MMC. Forefront UAG listens for all IP addresses (0.0.0.0) to port 443. It is not supported to create Web Publishing rules on the TMG Server if UAG
is installed:
http://technet.microsoft.com/en-us/library/ee522953.aspx
You can ignore the WFP filter conflict message. This message is by design:
http://blogs.technet.com/b/yuridiogenes/archive/2010/02/16/wfp-filter-conflict-detected-alert-after-installing-forefront-tmg-2010.aspx
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote

Similar Messages

Deployment of windows firewall policy error message: Provider Load Error

How do i resolve this error?
SCCM deployment status for Windows Firewall configuration policy shows a lot of errors With errorid 0x80041013 Provider Load Error.
The eventlog has logged a WMI warning:
A provider, WindowsFirewallConfigurationProvider, has been registered in the Windows Management Instrumentation namespace Root\Microsoft\PolicyPlatform\WindowsFirewallConfiguration to use the LocalSystem account. This account is privileged and the provider
may cause a security violation if it does not correctly impersonate user requests.
Source WMI Event-ID: 63

I've seen similar errors with WMI corruption, bad component registration in WMI, or permissions issue in WMI. For some more information see also:
http://blogs.technet.com/b/configmgrteam/archive/2009/05/08/wmi-troubleshooting-tips.aspx
My Blog: http://www.petervanderwoude.nl/
Follow me on twitter: pvanderwoude

Really Need Some Help with CME 8.6 using IOS as Firewall and Anyconnect VPN on Phones

Hello,
I have a 2911 Router with IOS Security and Voice enabled and we are using CME 8.6. I am using a built-in Anyconnect VPN on 3 phones that are for remote users and thus I needed to enable security zones on the router which works because the remote phones will boot up, get their phone configs and I am able to call those remote phones from an outside line.
The issue I am having is that when I try to dial a remote phone connected via the VPN through port g0/0 from and internal office phone, i.e., NOT involving the PSTN then there is no audio. It's as if no audio is going back and forth. When I take off the security zones from the virtual-template interface and the g0/0 interface then the audio works great and I can reach the phone from internal as I am supposed to.
Could someone take a peek at my security config and see why audio would not be traveling through the VPN when I have my security zones turned on?
clock timezone PST -8 0
clock summer-time PST recurring
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 192.168.8.1 192.168.8.19
ip dhcp pool owhvoip
network 192.168.8.0 255.255.248.0
default-router 192.168.8.1
option 150 ip 192.168.8.1
lease 30
multilink bundle-name authenticated
isdn switch-type primary-ni
crypto pki server cme_root
database level complete
grant auto
lifetime certificate 7305
lifetime ca-certificate 7305
crypto pki token default removal timeout 0
crypto pki trustpoint cme_root
enrollment url http://192.168.8.1:80
revocation-check none
rsakeypair cme_root
crypto pki trustpoint cme_cert
enrollment url http://192.168.8.1:80
revocation-check none
crypto pki trustpoint TP-self-signed-2736782807
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2736782807
revocation-check none
rsakeypair TP-self-signed-2736782807
voice-card 0
dspfarm
dsp services dspfarm
voice service voip
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
vpn-group 1
vpn-gateway 1 https://66.111.111.111/SSLVPNphone
vpn-trustpoint 1 trustpoint cme_cert leaf
vpn-profile 1
host-id-check disable
voice class codec 1
codec preference 1 g711ulaw
voice class custom-cptone jointone
dualtone conference
frequency 600 900
cadence 300 150 300 100 300 50
voice class custom-cptone leavetone
dualtone conference
frequency 400 800
cadence 400 50 200 50 200 50
voice translation-rule 1
rule 1 /9400/ /502/
rule 2 /9405/ /215/
rule 3 /9410/ /500/
voice translation-rule 2
rule 1 /.*/ /541999999/
voice translation-rule 100
rule 1 /^9/ // type any unknown plan any isdn
voice translation-profile Inbound_Calls_To_CUE
translate called 1
voice translation-profile InternationalType
translate called 100
voice translation-profile Local-CLID
translate calling 2
license udi pid CISCO2911/K9 sn FTX1641AHX3
hw-module pvdm 0/0
hw-module pvdm 0/1
hw-module sm 1
username routeradmin password 7 091649040910450B41
username cmeadmin privilege 15 password 7 03104803040E375F5E4D5D51
redundancy
controller T1 0/0/0
cablelength long 0db
pri-group timeslots 1-12,24
class-map type inspect match-any sslvpn
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all router-access
match access-group name router-access
policy-map type inspect firewall-policy
class type inspect sslvpn
inspect
class class-default
drop
policy-map type inspect outside-to-router-policy
class type inspect router-access
inspect
class class-default
drop
zone security trusted
zone security internet
zone-pair security trusted-to-internet source trusted destination internet
service-policy type inspect firewall-policy
zone-pair security untrusted-to-trusted source internet destination trusted
service-policy type inspect outside-to-router-policy
interface Loopback0
ip address 192.168.17.1 255.255.248.0
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description Internet
ip address dhcp
no ip redirects
no ip proxy-arp
zone-member security internet
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.8.1 255.255.248.0
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
no cdp enable
interface Integrated-Service-Engine1/0
ip unnumbered Loopback0
service-module ip address 192.168.17.2 255.255.248.0
!Application: CUE Running on NME
service-module ip default-gateway 192.168.17.1
no keepalive
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
zone-member security trusted
ip local pool SSLVPNPhone_pool 192.168.9.1 192.168.9.5
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-8.6.0
ip route 192.168.17.2 255.255.255.255 Integrated-Service-Engine1/0
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
tftp-server flash:apps31.9-3-1ES26.sbn
control-plane
voice-port 0/0/0:23
voice-port 0/3/0
voice-port 0/3/1
mgcp profile default
sccp local GigabitEthernet0/1
sccp ccm 192.168.8.1 identifier 1 priority 1 version 7.0
sccp
sccp ccm group 1
bind interface GigabitEthernet0/1
associate ccm 1 priority 1
associate profile 1 register CME-CONF
dspfarm profile 1 conference
codec g729br8
codec g729r8
codec g729abr8
codec g729ar8
codec g711alaw
codec g711ulaw
maximum sessions 4
associate application SCCP
dial-peer voice 500 voip
destination-pattern 5..
session protocol sipv2
session target ipv4:192.168.17.2
dtmf-relay sip-notify
codec g711ulaw
no vad
dial-peer voice 10 pots
description Incoming Calls To AA
translation-profile incoming Inbound_Calls_To_CUE
incoming called-number .
port 0/0/0:23
dial-peer voice 20 pots
description local 10 digit dialing
translation-profile outgoing Local-CLID
destination-pattern 9[2-9].........
incoming called-number .
port 0/0/0:23
forward-digits 10
dial-peer voice 30 pots
description long distance dialing
translation-profile outgoing Local-CLID
destination-pattern 91..........
incoming called-number .
port 0/0/0:23
forward-digits 11
dial-peer voice 40 pots
description 911
destination-pattern 911
port 0/0/0:23
forward-digits all
dial-peer voice 45 pots
description 9911
destination-pattern 9911
port 0/0/0:23
forward-digits 3
dial-peer voice 50 pots
description international dialing
translation-profile outgoing InternationalType
destination-pattern 9T
incoming called-number .
port 0/0/0:23
dial-peer voice 650 pots
huntstop
destination-pattern 650
fax rate disable
port 0/3/0
gatekeeper
shutdown
telephony-service
protocol mode ipv4
sdspfarm units 5
sdspfarm tag 1 CME-CONF
conference hardware
moh-file-buffer 90
no auto-reg-ephone
authentication credential cmeadmin tshbavsp$$4
max-ephones 50
max-dn 200
ip source-address 192.168.8.1 port 2000
service dnis dir-lookup
timeouts transfer-recall 30
system message Oregon's Wild Harvest
url services http://192.168.17.2/voiceview/common/login.do
url authentication http://192.168.8.1/CCMCIP/authenticate.asp
cnf-file location flash:
cnf-file perphone
load 7931 SCCP31.9-3-1SR4-1S.loads
load 7936 cmterm_7936.3-3-21-0.bin
load 7942 SCCP42.9-3-1SR4-1S.loads
load 7962 SCCP42.9-4-2-1S.loads
time-zone 5
time-format 24
voicemail 500
max-conferences 8 gain -6
call-park system application
call-forward pattern .T
moh moh.wav
web admin system name cmeadmin secret 5 $1$60ro$u.0r/cno/OD2JmtvPq4w9.
dn-webedit
transfer-digit-collect orig-call
transfer-system full-consult
transfer-pattern .T
fac standard
create cnf-files version-stamp Jan 01 2002 00:00:00
ephone-template 1
softkeys connected Hold Park Confrn Trnsfer Endcall ConfList TrnsfVM
button-layout 7931 2
ephone-template 2
softkeys idle Dnd Gpickup Pickup Mobility
softkeys connected Hold Park Confrn Mobility Trnsfer TrnsfVM
button-layout 7931 2
ephone-dn 1 dual-line
number 200
label Lisa
name Lisa Ziomkowsky
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 2 dual-line
number 201
label Dylan
name Dylan Elmer
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 3 dual-line
number 202
label Kimberly
name Kimberly Krueger
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 4 dual-line
number 203
label Randy
name Randy Buresh
mobility
snr calling-number local
snr 915035042317 delay 5 timeout 15 cfwd-noan 500
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 5 dual-line
number 204
label Mark
name Mark McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 6 dual-line
number 205
label Susan
name Susan Sundin
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 7 dual-line
number 206
label Rebecca
name Rebecca Vaught
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 8 dual-line
number 207
label Ronnda
name Ronnda Daniels
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 9 dual-line
number 208
label Matthew
name Matthew Creswell
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 10 dual-line
number 209
label Nate
name Nate Couture
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 11 dual-line
number 210
label Sarah
name Sarah Smith
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 12 dual-line
number 211
label Janis
name Janis McFerren
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 13 dual-line
number 212
label Val
name Val McBride
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 14 dual-line
number 213
label Shorty
name Arlene Haugen
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 15 dual-line
number 214
label Ruta
name Ruta Wells
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 16 dual-line
number 215
label 5415489405
name OWH Sales
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 17 dual-line
number 216
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 18 dual-line
number 217
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 19 dual-line
number 218
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 20 dual-line
number 219
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 21 dual-line
number 220
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 22 dual-line
number 221
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 23 dual-line
number 222
label Pam
name Pam Buresh
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 24 dual-line
number 223
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 25 dual-line
number 224
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 26 dual-line
number 225
label Elaine
name Elaine Mahan
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 27 octo-line
number 250
label Shipping
name Shipping
ephone-dn 28 dual-line
number 251
label Eli
name Eli Nourse
call-forward busy 500
call-forward noan 500 timeout 10
ephone-dn 29 dual-line
number 252
ephone-dn 30 dual-line
number 253
ephone-dn 31 octo-line
number 100
label Customer Service
name Customer Service
call-forward busy 500
call-forward noan 500 timeout 12
ephone-dn 32 octo-line
number 101
label Sales
name Sales
call-forward busy 214
call-forward noan 214 timeout 12
ephone-dn 33 dual-line
number 260
label Conference Room
name Conference Room
call-forward busy 100
call-forward noan 100 timeout 12
ephone-dn 100
number 300
park-slot timeout 20 limit 2 recall
description Park Slot For All Company
ephone-dn 101
number 301
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 102
number 302
park-slot timeout 20 limit 2 recall
description Park Slot for All Company
ephone-dn 103
number 700
name All Company Paging
paging ip 239.1.1.10 port 2000
ephone-dn 104
number 8000...
mwi on
ephone-dn 105
number 8001...
mwi off
ephone-dn 106 octo-line
number A00
description ad-hoc conferencing
conference ad-hoc
ephone-dn 107 octo-line
number A01
description ad-hoc conferencing
conference ad-hoc
ephone-dn 108 octo-line
number A02
description ad-hoc conferencing
conference ad-hoc
ephone 1
device-security-mode none
mac-address 001F.CA34.88AE
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:2 2:31
ephone 2
device-security-mode none
mac-address 001F.CA34.8A03
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:12
ephone 3
device-security-mode none
mac-address 001F.CA34.898B
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 4
device-security-mode none
mac-address 001F.CA34.893F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
ephone 5
device-security-mode none
mac-address 001F.CA34.8A71
ephone-template 1
max-calls-per-button 2
username "susan"
paging-dn 103
type 7931
button 1:6
ephone 6
device-security-mode none
mac-address 001F.CA34.8871
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:7 2:31 3:32
ephone 7
device-security-mode none
mac-address 001F.CA34.8998
ephone-template 1
max-calls-per-button 2
username "matthew"
paging-dn 103
type 7931
button 1:9
ephone 8
device-security-mode none
mac-address 001F.CA36.8787
ephone-template 1
max-calls-per-button 2
username "nate"
paging-dn 103
type 7931
button 1:10
ephone 9
device-security-mode none
mac-address 001F.CA34.8805
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:5
ephone 10
device-security-mode none
mac-address 001F.CA34.880C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:14
ephone 11
device-security-mode none
mac-address 001F.CA34.8935
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:3
ephone 12
device-security-mode none
mac-address 001F.CA34.8995
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:8 2:31
ephone 13
device-security-mode none
mac-address 0021.5504.1796
ephone-template 2
max-calls-per-button 2
paging-dn 103
type 7931
button 1:4
ephone 14
device-security-mode none
mac-address 001F.CA34.88F7
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:23
ephone 15
device-security-mode none
mac-address 001F.CA34.8894
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:26
ephone 16
device-security-mode none
mac-address 001F.CA34.8869
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:28 2:27
ephone 17
device-security-mode none
mac-address 001F.CA34.885F
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:11
ephone 18
device-security-mode none
mac-address 001F.CA34.893C
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 19
device-security-mode none
mac-address 001F.CA34.8873
ephone-template 1
max-calls-per-button 2
paging-dn 103
type 7931
button 1:27
ephone 20
device-security-mode none
mac-address A456.3040.B7DD
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:13
ephone 21
device-security-mode none
mac-address A456.30BA.5474
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:15 2:16 3:32
ephone 22
device-security-mode none
mac-address A456.3040.B72E
paging-dn 103
type 7942
vpn-group 1
vpn-profile 1
button 1:1
ephone 23
device-security-mode none
mac-address 00E0.75F3.D1D9
paging-dn 103
type 7936
button 1:33
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
transport input all
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 216.228.192.69
webvpn gateway sslvpn_gw
ip address 66.111.111.111 port 443
ssl encryption 3des-sha1 aes-sha1
ssl trustpoint cme_cert
inservice
webvpn context sslvpn_context
ssl encryption 3des-sha1 aes-sha1
ssl authenticate verify all
policy group SSLVPNphone
functions svc-enabled
hide-url-bar
svc address-pool "SSLVPNPhone_pool" netmask 255.255.248.0
svc default-domain "bendbroadband.com"
virtual-template 1
default-group-policy SSLVPNphone
gateway sslvpn_gw domain SSLVPNphone
authentication certificate
ca trustpoint cme_root
inservice
end

I think your ACL could be the culprit.
ip access-list extended router-access
permit tcp any host 66.111.111.111 eq 443
Would you be able to change the entry to permit ip any any (just for testing purpose) and then test to see if the calls function properly. If they work fine then we know that we need to open som ports there.
Please remember to select a correct answer and rate helpful posts

Sun One AS7 and Norton Internet Security (Personal Firewall)

Hello,
I have installed:
- XP Home Edition Version 2002 SP1
- Norton Internet Security Version 6.0.4.34 (Personal Firewall)
- Sun One Application Server 7, Platform Edition
When Personal Firewall is running I get:
Could not start the instance: domain1:admin-server
server failed to start: abnormal subprocess termination
Could not start the instance: domain1:server1
server failed to start: abnormal subprocess termination
Could not start one or more instances in the domain : domain1
Could not start one or more domains
Press any key to continue . . .
I've read the release notes:
- changed port numbers
- modified the firewall policy
and still experience the same problem.
When Personal Firewall is not running it works.
I guess I can just turn off my firewall when I evaluate this product.
I was wondering if anyone who has experienced and solved this problem
could lend a hand.
Thank you!

Sorry! Does it work if you disable the Smart Firewall in Norton Internet Security? Did you check uninstalling Norton?
Thanks!
Harry

Getting VSG to recognise VNMC policy

Hello All,
I've installed the VSG and VNMC and it all looks good (everything's registered, everything sees everything else - VEM, VSM, etc.) however as soon as I try and apply a firewall policy to a port-profile from my VSM I get this logged in the VSM:
2012 Sep 26 14:52:48 N1000v %VNS_AGENT-3-CORE_INVALID_PROF_ID_ERR: VNMC failed to resolve service-profile for port, name:Veth10
This is the config for the port-profile:
port-profile type vethernet TestTenant
vmware port-group
switchport mode access
switchport access vlan 10
org root/TestTenant
vservice node VSG profile PolicyA
no shutdown
state enabled
I've attached screen grabs where you can see TestTenant is in the root and PolicyA does exist, belonging to TestTenant.
The only other error I get, which is obviously related is show vservice brief ends with:
# - PA/VNMC is not connected to VSM yet or Org config error or PA/VNMC malfunctioning
We are connect to VNMC (show vn-pa status says so) so I assume it does't like my org or profile statements... but they match the screen grab...
All other tests are good:
N1000v# ping vsn all src-module all
ping vsn 10.1.50.12 vlan 50 from module 3, seq=0 timeout=1-sec
module(usec)   : 3(431)
N1000v# show vservice node brief
Node Information
ID Name                     Type   IP-Address      Mode   State   Module
1 VSG                      vsg    10.1.50.12      v-50   Alive   3,
FW-TT# sh running-config rule
rule default/default-rule@root
action 10 drop
rule default/default-rule@root/TestTenant
action 10 drop
FW-TT# show run policy
Policy default-egress@root/TestTenant
Policy default@root
rule default/default-rule@root order 2
Policy default@root/TestTenant
rule default/default-rule@root/TestTenant order 2
It just can't seem to look up my policy! Any ideas why?
One thing I have noticed is there are no "Compute Security Profiles" under the TestTenant firewall, but I don't know if there should be or how to put some there? (Have alook at the SecProfiles.png attachment)

Hi Jaso
Mi problem is related to a ASA 1000v installation: If I attach a VM to the ASA1000V Port-Profile I receive the following error:
2013 Mar 12 10:33:52 VSM-1110-01 %ETHPORT-5-IF_UP: Interface Vethernet13 is up in mode access
2013 Mar 12 10:33:52 VSM-1110-01 %VNS_AGENT-3-CORE_DEFAULT_PROF_ID_ERR: VNMC resolves default-service-profile for port, name:Veth13 profile-id:1
This is what show vservice brief says:
VSM-1110-01# sh vservice brief
                                   License Information
Type      In-Use-Lic-Count UnLicensed-Mod
vsg                      4
asa                      2
                                   Node Information
ID Name                     Type   IP-Address      Mode   State   Module
1 CFW-VSG1                 vsg    10.1.103.242    v-103 Alive   3,4,
2 ASA                      asa    10.1.100.1      v-1101 Alive   3,
                                   Path Information
                                   Port Information
PortProfile:ASA-Bla-Test
Org:root/TenantASA
Node:ASA(10.1.100.1)                          Profile(Id):ASA-SEC(9)
Veth Mod VM-Name                              vNIC IP-Address
13   3 ubuntuc1                                1 10.1.100.11
PortProfile:SECURE-VSG-C
Org:root/TenantA
Node:CFW-VSG1(10.1.103.242)                   Profile(Id):SEC-PROFILE-C(10)
Veth Mod VM-Name                              vNIC IP-Address
   7   3 ubuntub1                                1 10.1.101.21
PortProfile:SECURE-VSG-A
Org:root/TenantA
Node:CFW-VSG1(10.1.103.242)                   Profile(Id):SEC-PROFILE-A(5)
Veth Mod VM-Name                              vNIC IP-Address
   8   4 ubuntua2                                1 10.1.101.12
Please ignore the VSG - This is a lab and I'm also running a VSG setup (without problems by the way).
Thanks for your support
Marcel

Routing Policy for Wi-Fi Users

Hi All,
In my office i am using Microsoft Thread management Gateway(Software Firewall).
Can i set Security like as below,
Users can connect Wi-fi Network but they would not able to access internet but they should be able to access for local network & for the internet they should go via Microsoft Thread management Gateway.
Note:
Wi-Fi ADSL Router has 192.168.1.x series ip
Microsoft Thread management Gateway server has 192.168.2.x series IP.
Thanks In Advance
Shailendra
Shailendra Vishwakarma

Hi,
Connect the WiFi router directly to a dedicated NIC on the TMG Server.
Configure the NIC with a IP addresss from the 192.168.1x range with no Default Gateway
Create a new network on the TMG server.
Create a network rule from the new TMG network to External from type NAT.
Create a Firewall Policy rule from the new TMG network to External for the required protocols (HTTP, DNS for example).
Configure the Wifi router to provide IP addresses from DHCP with the default Gateway DHCP scope option from the new NIC on the TMG Server (192.168.1.x).
For DNS name resolution you can use a public DNS Server like 8.8.8.8. This can also be provided via DHCP scope option.
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3570

Novelty policy - missing tables

Hello all,
I have implemented Oracle Audit Vault along with Database Firewall version 12.1.2.3 (currently latest version) and I have a small problem with defining a novelty policy.
I have configured secured targets and audit trails, everything works like a peach, alerts are being raised and the reports generated, even sent to my e-mail. I have also successfully implemented the DB firewall as a proxy and it successfully blocks an IP etc. The problem is when I try to configure a novelty policy to block certain command classes from certain tables in my DB. There aren't any to choose from in the novelty policy section. I have turned on auditing on multiple tables in my DB (like I said, reporting and alerting works fine). Am I missing something. I have read the instructions and it only says that I need to check the tables in novelty policy configuration to which the rules apply. It doesn't say anything what to do if there are no tables to choose from. I found that there was a bug in a previous 12c version, but I have the latest one.
Has anyone else encountered such a problem and managed to resolve it.
Thanks for your help in advance and best regards,
Blaz

Dear All
for me reports are working, alerts & e-mail notification working fine, but firewall policy wont working properly
nothing working even configures properly
Creating Login and Logout Policies for Database Users
Masking Sensitive Data
Setting a Policy for Invalid SQL
Configuring Global Firewall Policy Settings
Thanks
Muba.

Forefront TMG network policy server and VPN issue.

Hello every one!
I have a problem with configuration VPN server on Forefront TMG on Windows Server 2008R2 with latests microsoft updates.
I install Forefront TMG on on Windows Server 2008R2 with latest updates.
Then, I configure startup wizard where I set network configuration and etc.
Next, I set VPN settings, I set DHCP pool, DNS servers, Access groups for VPN, and set PPTP.
After apply this settings, service RemoteAccess doesn't start. I try to reboot server but service doesn't start.
But it's not one problem.
When I add VPN Access groups in Forefront, and apply configuration, I don't see changes in network policy server (nps.msc) Groups don't add to policy in network policy server.
Screenshot
If I start RemoteAccess manually and add new VPN Access groups in policy in network policy server, I can use VPN server, and connect to forefront server.
But I don't understand why TMG Forefront can't apply this settings in nps.msc and services.
What I do wrong?
I Use Windows Server 2008R2
Forefront TMG RTM 7.0.7734.100

Hello! Thank you for your help!
I see this link
http://www.isaserver.org/articles-tutorials/configuration-security/Implementing-Secure-Remote-Access-PPTP-Forefront-Threat-Management-Gateway-TMG-2010-Part2.html
But I don't use RADIUS server in my Forefront TMG VPN configuration.
I configure client VPN Access via PPTP
When I configure TMG VPN settings, I set VPN Access groups. After that NPS server change and apply TMG network policy correctly.
But if I change some TMG firewall policy, and then I try to add VPN Access groups (screenshot -
http://i.gyazo.com/34a34ba18a01c58689e5e3cddbc52585.png) NPS server can't change and apply TMG network policy correctly.
Now I have a two Access groups in TMG VPN settings
http://i.gyazo.com/34a34ba18a01c58689e5e3cddbc52585.png
And I have a NPS server network policy with not correctly settings
http://i.gyazo.com/1dd973ca9cc2a228d54a53d88ca90009.png
Forefront can't change NPS server network policy. I don't undesrtand where problem.
I try to reinstall TMG on new machine, but problem
problem persists.

Oracle AVDF Database Firewall - Status check error

Hi all,
We are using Oracle Audit Vault & Database Firewall 12.1.0. After checking the status of the database Firewall, in the diagnostic report, we keep getting the following errors:
Checking bridges: - FAILED
Checking permissions on policy file oracle-policy_62.xml - FAILED
The first error goes away if we manually delete from system every traffic source/proxy configuration file, but as soon as we create a new one from management console, the error returns.
The second error is about the file `oracle-policy_62.xml`, we have located it in the directory /usr/local/dbfw/upload/ and as I can tell from reading it, it is a kind of configuration file of the active firewall policy on the secure target. So, what can it be?
Thank You.

Hi,
I had to login with root and do the next:
cd /
find * -mtime -1 | more
this show the file modified on the last hour .... in my case does not work because I had a problem with conditions on alerts.

VPN Client - Specify Custom Client Firewall (eEye Blink)?

I am trying to figure out if there is any way I can define a custom client firewall agent. Specifically I am looking to check for eEye's Blink HIPS agent. Ideally it would be great if this were fully supported/integrated similar to the various Zone agents or CSA. I would be more than willing to settle for basic AYT functionality in the meantime though.
Is this possible? A pointer to the documentation or a "how-to" would be really appreciated. I did not see where I could configure this in the documentation, but I think I may be looking in the wrong place.
Thanks in advance for any assistance.
Chad

The VPN Client then polls the personal firewall every 30 seconds to make sure it is running and if it is not, terminates the secure connection to the VPN Concentrator. In this case, the VPN Concentrator does not define the firewall policy. The only contact the VPN Client has with the firewall is polling it to ascertain that it is running, a capability known as Are You There (AYT).
Refer this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a00802d3abc.html#wp1182844

CCP bug with with zone based firewall policies

Hello guys,
I'm facing a problem today right after creating some new rules.
When we are going to "Edit Firewall Policy" the Rule Flow Diagram is showing up. My problem is that i don't see anymore the button which let me disable it !!
You can see the screenshot.
So my questions are:
- Is there a way to disable this diagram ? (maybe with some java configuration)
- Is there a way to modify this display ?
I have the same problem on a Win7, Win8, Win2008 & Win2012. Tested with Java 1.6u11 to 1.7
Thanks for the help.

I tried taking the http inspection rules out and had the same problem.
debug messages :
000168: Feb 9 14:26:06.108 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0
000169: Feb 9 14:26:36.156 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53846 due to Out-Of-Order Segment with ip ident 0
000170: Feb 9 14:27:06.459 gmt: %FW-6-DROP_PKT: Dropping tcp session 195.74.103.133:33032 192.168.1.1:25 due to Out-Of-Order Segment with ip ident 0
000171: Feb 9 14:27:36.823 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.131:80 192.168.1.11:53823 due to Out-Of-Order Segment with ip ident 0
000172: Feb 9 14:28:08.007 gmt: %FW-6-DROP_PKT: Dropping tcp session 173.194.41.130:80 192.168.1.11:53897 due to Out-Of-Order Segment with ip ident 0
000173: Feb 9 14:28:46.336 gmt: %FW-6-DROP_PKT: Dropping tcp session 61.206.117.4:56336 192.168.1.1:25 due to Retransmitted Segment with Invalid Flags with ip ident 0

Software firewall on client computer preventing logging in to portal

Client has a CA software firewall on her PC, when trying to login after providing username and password, remains on the same page without logging in. Disabling the firewall lets her in. Is anyone aware of what is causing this and is there a way around it.

maybe you can specify in the firewall policy to grant access of the SSO port number.

Add firewall rule with custom environment variable in program path

Hi,
We want to create a firewall rule for a program which is placed in folder which changes sometimes. I know you can add a firewall with the ProgramFiles environment variable like this:
netsh advfirewall firewall add rule name="Test Firewall rule" dir=in program="%%ProgramFiles%%\Test\Test.exe" action=allow security=notrequired
The environment variable ProgramFiles isn't expanded and if the Program Files folder is different on a system the rule still works.
We try to use this with a custom environment variable which we set a system environment variable with this command:
SETX SomeFolder "D:\Some Folder\Apr 2015" /M
If we use the command below to add the firewall rule in a batch file the environment variable SomeFolder is expanded correctly and the program path is added as a static path.
netsh advfirewall firewall add rule name="Some Firewall Rule" dir=in program="%SomeFolder%\AFile.exe" action=allow security=notrequired
Because the folder changes sometimes we want to change the environment variable SomeFolder and not remove the old firewall rule and create a new one. We want to add the environment variable SomeFolder to the program path as a (dynamic) environment variable
and not as the expanded path at the moment when the rule is added. If we use this command:
netsh advfirewall firewall add rule name="Some Firewall Rule" dir=in program="%%SomeFolder%%\AFile.exe" action=allow security=notrequired
We get the error:
          Windows Firewall with Advanced Security
          An error occurred while adding the rule.
          Error: The parameter is incorrect
          Status: The application name could not be resolved
          OK
Why can't we use %%SOMEFOLDER%% like we can use %%PROGRAMFILES%%? The same error is shown when we try to add the firewall rule through the management console 'Windows Firewall with Advanced Security'
W. Spu

Hi,
Based on my plenty of test with this problem, it seems like there is no better method to achieve your requirement. To add new policy to firewall, it would be better using general cmdlet. The path parameter like %%SomeFolder%% do have problem in add firewall
policy cmdlet.
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Apply different firewall controls on different adapters

Hi Mac Folks
As Mac Pro got three network adapters (2 x Gigabit Ethernet + 1 x Wi-Fi), and I prefer using the wireless connection to access the Internet and leaving the two wired connections for private file sharing and VM communciation.
Therefore, for the wireless connection, the firewall policy should be to disable all incoming traffic and allowing all outgoing access, while the wired connections should be firewall free or allowing specifc application protocols. But it seems the Firewall options under System Preferences have no such a detailed control.
Is it possible to apply different firewall controls on different adapters?
Any comments are welcome.
Thanks,
B

Bad news on ipfw -- DEPRECATED:
IPFW(8) BSD System Manager's Manual IPFW(8) NAME ipfw -- IP firewall and traffic shaper control program (DEPRECATED) SYNOPSIS
ipfw [-cq] add rule ipfw [-acdefnNStT] {list | show} [rule | first-last ...] ipfw [-f | -q] flush ipfw [-q] {delete | zero | resetlog} [set] [number ...] ipfw enable {firewall | one_pass | debug | verbose | dyn_keepalive} ipfw disable {firewall | one_pass | debug | verbose | dyn_keepalive} ipfw set [disable number ...] [enable number ...] ipfw set move [rule] number to number ipfw set swap number number ipfw set show ipfw {pipe | queue} number config config-options ipfw [-s [field]] {pipe | queue} {delete | list | show} [number ...] ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname
DESCRIPTION Note that use of this utility is DEPRECATED. Please use pfctl(8) instead.

Tufin's Firewall Management Revolution, Sept. 18 ?

Hi
Any more detail informations about the Tufin means Revolution ?
Here some infos
Answer:
The biggest advancement that firewall policy management has seen in the last 20 years
A top-down approach to managing firewall policies
It's under embargo until September 2012
Will be announced at CPUG 2012
All of the above
Be among the first to know!
Join Michael Hamelin on September 18, at the BMW Welt Club Restaurant, at 19:30 PM*.
Address: BMW WELT - Am Olympiapark 1, 80809 Munich
*places limited

David,
I agree with you, Tufin still as of TODAY does not work well with Cisco products. I have setup Tufin in 3 large deployments going all the way back to 2007, its certainly come a long way. Its interesting to me dealing with a lot of vendors how many tell you thats the way it 'used' to be, but weve since fixed something. Don't be gullible.
I specifically purchased Tufin for a large client to perform automatic policy generation so we could create rulebases out of logs, nearly out of thin air. Let me tell you the product is NOT FULLY BAKED in this area, Im surprised a company would sell to a customer a product that has *new* features that are not fully functional. After Months of working with developers in Israel we were left with a clunky and primitive way to create a rulebase and it never fully worked. The customer was angry and pushed me to get a refund, thats how bad it was.
I was provided about 100 scripts, not all at once, they worked one day not the next. The scripts had to continue to be modified to understand Cisco log entries!! I would bounce from cli back to the gui and run scripts with a 25% success rate. You can be the beta tester if you like but products that dont work shouldnt be sold as if they do.
The pendulum continues to swing, in 2006 something went wrong with Firemon (I hear it was political) and it was broken so my company decided to use Tufin. Now I've gone back to using Firemon's Traffic Flow Analysis which does work with Cisco ASA and has the features I wanted to make my life easier, and they are fully functional.

Firewall policy

Similar Messages

Maybe you are looking for