Hi
I have a 5GT (non-wireless, non-ADSL) firewall which is set up in Home-Work modem with an ADSL/PPPoE service delivered via an external modem on the untrust/eth3 interface.
Everything was working fine. I had some VIPs set up to access devices behind the 5GT on the Work zone and was connected to these when things stopped working. My connection to these VIPs closed (RDP and SSH) and I couldn't connect to them anymore though I wasn't configuring anything on the firewall at the time this issue started. I thought maybe the ADSL link had gone down but I could still get on to the web interface GUI of the device via the IP address of the Untrust interface. I could also connect to the device with a NCP IPSec VPN client and access the IP address of the Work interface
I checked the logs of the firewall and could no longer see new hits on the policies allowing the services to the configured VIPs on the Untrust interface. I started trying ping different devices on the private networks from the firewall which I was still able to SSH/telnet to but these generally wouldn't work however I would get responses some times, maybe for a couple of packets and then no replies again. The device I was trying to ping from the firewall is connected directly to the firewall, there is no switch or other device in between. I have also changed the cable and the problem persists. I also noticed the CPU usage is quite high, constantly above 70%, which for a device which at the moment isn't passing any traffic seems a bit ridiculous.
I swapped the actual firewalls (I have two of the same devices). The old device had version 5.2 and the new version has 5.3 (both quite old I know). I was pretty certain that it looked like a hardware issue and this would solve the problem but after reapplying the previous configuration file I found the same problems which made me start thinking that maybe this was a configuration error or a bug. But the hardware and software versions have changes so I now start to think it may be a config error but I would like some peoples opinions.
I find it very strange that I can access the device from the web on its Untrust interface but the device doesn't log anything when I try and connect to a VIP defined on the same Untrust interface. The device is at a remote site so I am limited in what I can do physically but I do have a capable person there who is able to assist. They swapped the FW, changes the cables and input the configuration file on the new firewall for me.
Can anyone help me with this? I have included my configuration details below.
Thanks
set clock ntp
set clock timezone 9
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDP-9833" protocol tcp src-port 0-65535 dst-port 9833-9833
set service "RDP-3389" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "SSH-2222" protocol tcp src-port 0-65535 dst-port 2222-2222
set service "SSH-2223" protocol tcp src-port 0-65535 dst-port 2223-2223
set service "SSH-2224" protocol tcp src-port 0-65535 dst-port 2224-2224
set service "SSH-2221" protocol tcp src-port 0-65535 dst-port 2221-2221
set service "RDP-3001" protocol tcp src-port 0-65535 dst-port 3001-3001
set service "RDP-3002" protocol tcp src-port 0-65535 dst-port 3002-3002
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "xxxxxxxxxxxxxxxxxx"
set admin auth timeout 0
set admin auth server "Local"
set admin format dos
set zone "Work" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "Home" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Work" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "Home" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Work"
set interface "ethernet2" zone "Home"
set interface "ethernet3" zone "Untrust"
set interface ethernet1 ip 192.168.30.1/24
set interface ethernet1 nat
set interface ethernet2 ip 192.168.31.1/24
set interface ethernet2 nat
set interface ethernet3 ip x.x.x.x/32
set interface ethernet3 route
unset interface vlan1 ip
set interface ethernet1 mtu 1500
set interface ethernet2 mtu 1500
set interface ethernet3 mtu 1492
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
unset interface ethernet2 ip manageable
set interface ethernet3 ip manageable
unset interface ethernet1 manage web
set interface ethernet2 manage ping
set interface ethernet2 manage web
set interface ethernet3 manage ssh
set interface ethernet3 manage ssl
set interface ethernet3 vip untrust 9833 "RDP-3389" 192.168.30.200
set interface ethernet3 vip untrust 2221 "SSH" 192.168.30.202
set interface ethernet3 vip untrust 2222 "SSH" 192.168.30.203
set interface ethernet3 vip untrust 2223 "SSH" 192.168.30.201
set interface ethernet3 vip untrust 3001 "RDP-3389" 192.168.31.200
set interface ethernet3 vip untrust 3002 "RDP-3389" 192.168.31.201
set interface ethernet1 dhcp server service
set interface ethernet2 dhcp server service
set interface ethernet1 dhcp server enable
set interface ethernet2 dhcp server enable
set interface ethernet1 dhcp server option lease 1440000
set interface ethernet1 dhcp server option gateway 192.168.30.1
set interface ethernet1 dhcp server option netmask 255.255.255.0
set interface ethernet2 dhcp server option lease 1440000
set interface ethernet2 dhcp server option gateway 192.168.31.1
set interface ethernet2 dhcp server option netmask 255.255.255.0
set interface ethernet2 dhcp server option dns1 61.88.88.88
set interface ethernet1 dhcp server ip 192.168.1.33 to 192.168.1.126
set interface ethernet1 dhcp server ip 192.168.30.20 to 192.168.30.29
set interface ethernet2 dhcp server ip 192.168.31.10 to 192.168.31.20
set flow tcp-mss 1392
set flow all-tcp-mss 1304
unset flow no-tcp-seq-check
set flow tcp-syn-check
set domain xxx.xxxx
set hostname xxxxxxxx
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 203.12.160.35
set dns host dns2 203.12.160.36
set dns host schedule 06:28 interval 4
set address Work "192.168.30.200/32" 192.168.30.200 255.255.255.255
set address Work "DU-WORK-192.168.30.0/24" 192.168.30.0 255.255.255.0
set address Global "192.168.30.0/24" 192.168.30.0 255.255.255.0
set address Home "DU-HOME-192.168.31.0/24" 192.168.31.0 255.255.255.0
set user "NCP-IKE.User" uid 6
set user "NCP-IKE.User" ike-id u-fqdn "yyyyy" share-limit 1
set user "NCP-IKE.User" type auth ike
set user "NCP-IKE.User" password "xxxxxxxxxxxxxxxxx"
set user "NCP-IKE.User" "enable"
set ike gateway "NCP.P1.Gateway" dialup "NCP-IKE.User" Aggr outgoing-interface "ethernet3" preshare "xxxxxxxxxxxxxxxxxxxxxxx" proposal "pre-g2-aes128-sha"
unset ike gateway "NCP.P1.Gateway" nat-traversal
set ike respond-bad-spi 1
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "NCP.P2.Remote.Access" gateway "NCP.P1.Gateway" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set url protocol sc-cpa
exit
set policy id 1 from "Work" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 1
set log session-init
exit
set policy id 2 from "Work" to "Home" "Any" "Any" "ANY" permit log
set policy id 2
set log session-init
exit
set policy id 3 from "Home" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 3
set log session-init
exit
set policy id 4 from "Home" to "Work" "Any" "Any" "ANY" deny
set policy id 21 from "Work" to "Untrust" "192.168.30.200/32" "Any" "ANY" deny log
set policy id 21
set log session-init
exit
set policy id 20 from "Work" to "Global" "192.168.30.200/32" "Any" "ANY" permit log
set policy id 20
set log session-init
exit
set policy id 17 from "Untrust" to "Global" "Any" "VIP(ethernet3)" "RDP-3001" permit log
set policy id 17
set service "RDP-9833"
set service "SSH-2221"
set service "SSH-2222"
set service "SSH-2223"
set service "SSH-2224"
set log session-init
exit
set policy id 18 from "Untrust" to "Global" "Any" "VIP(ethernet3)" "RDP-3002" permit log
set policy id 18
set log session-init
exit
set policy id 14 name "NCP-IPSEC-Remote-Access" from "Work" to "Untrust" "DU-WORK-192.168.30.0/24" "Dial-Up VPN" "ANY" tunnel vpn "NCP.P2.Remote.Access" id 17 pair-policy 13 log
set policy id 14 disable
set policy id 14
set log session-init
exit
set policy id 13 name "NCP-IPSEC-Remote-Access" from "Untrust" to "Work" "Dial-Up VPN" "DU-WORK-192.168.30.0/24" "ANY" tunnel vpn "NCP.P2.Remote.Access" id 17 pair-policy 14 log
set policy id 13
set log session-init
exit
set policy id 5 from "Untrust" to "Global" "Any" "VIP(ethernet3)" "RDP-9833" permit log
set policy id 5
set log session-init
exit
set policy id 6 name "SSH to PDU-01" from "Untrust" to "Global" "Any" "VIP(ethernet3)" "SSH-2221" permit log
set policy id 6
set log session-init
exit
set policy id 7 name "SSH to PDU-02" from "Untrust" to "Global" "Any" "VIP(ethernet3)" "SSH-2222" permit log
set policy id 7
set log session-init
exit
set policy id 8 name "SSH to Cyclades NTSR" from "Untrust" to "Global" "Any" "VIP(ethernet3)" "SSH-2223" permit log
set policy id 8
set log session-init
exit
set policy id 10 from "Work" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 10
set log session-init
exit
set policy id 11 from "Untrust" to "Work" "Any" "Any" "ANY" deny log
set policy id 11
set log session-init
exit
set policy id 16 from "Home" to "Untrust" "Any" "Any" "ANY" deny log
set policy id 16
set log session-init
exit
set policy id 19 from "Untrust" to "Global" "Any" "VIP(ethernet3)" "ANY" deny log
set policy id 19
set log session-init
exit
set pppoe name "TTT"
set pppoe name "TTT" username "xxxxxxxxxxxx" password "xxxxxxxxxxxxxxxxx"
set pppoe name "TTT" idle 0
set pppoe name "TTT" interface ethernet3
unset pppoe name "TTT" update-dhcpserver
set pppoe name "TTT" ppp lcp-echo-timeout 10
set pppoe name "TTT" auto-connect 1
set global-pro policy-manager primary outgoing-interface ethernet3
set global-pro policy-manager secondary outgoing-interface ethernet3
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
set ssl port 4443
set ntp server "203.12.160.2"
set ntp server src-interface "ethernet3"
set ntp server backup1 "203.26.24.6"
set ntp server backup1 src-interface "ethernet3"
set ntp server backup2 "0.0.0.0"
set ntp max-adjustment 3600
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit