I'm looking at a problem with some provisioning of devices that require connection to external services with Apple. We have some firepower 4150 firewalls. I have noticed that blocks are occuring of return traffic. I cannot see why this would occur, and the rule referenced is a block rule at the end of the list or rules that someone created to say "no external to internal" basically.
I'm a little confused, as surely this is standard stateful stuff and should not hit our last rule of block external to internal inwards It should be part of the normal rulesets. We have connections out, so the block referenced is typically saying the initiator is the external IP, sourced tcp/443, to one of our internal IPs, on the sort of tcp port you might expect, like 49552. Obviously Apple aren't initiating those connections... The fact it is mapped back to an internal IP means it's matching outbound translations, and permit rule.
I don't see any reason for the block given, just block. It's a bit of a headache, especially as our accounts seem to have bungled our support contract for the devices.
Anyone got any quick ideas about this while I sort out support. People are asking me to whitelist IPs, which is going to be unmanageable, as I notice it's not just Apple external 17/8 as seen in https://support.apple.com/en-us/HT210060, but cdn as well. I'm obviously not going to whitelist akamai am I? :| Sadly I've never done any firepower course, only had the old ccna sec. I see I could maybe create a reputation list or similar to feed a whitelist to the device, so I have little in the way of ideas. I could create a massive list of trust policies outbound in case it is snort, but initial testing didn't seem to help, only phsyically whitelisting IPs seems to have any results. Day to day I personally only really manage ASA devices myself currently, and our guy that deployed the firewalls moved on. I try keep firepowers firmware up to date, though now knowing support is lapse I have deferred upgrade to 6.6.5 from 6.6.4 in case of a fault.
No comments:
Post a Comment