Troubleshooting Firewall Configuration Issues - Motorola WiNG 4.4 Reference Manual

C - 14 WiNG 4.4 Switch System Reference Guide
C.5 Troubleshooting Firewall Configuration Issues
Motorola Solutions recommends adhering to the following guidelines when dealing with problems related to RFS7000
Firewall configuration:
• A Wired Host (Host-1) or Wireless Host (Host-2) on the untrusted side is not able to connect to the Wired Host (Host-
3) on the trusted side
• A wired Host (Host-1) on the trusted side is not able to connect to a Wireless Host (Host-2) or Wired Host (Host-3) on
the untrusted side
A Wired Host (Host-1) or Wireless Host (Host-2) on the untrusted side is not able to
connect to the Wired Host (Host-3) on the trusted side
1. Check that IP Ping from Host1/Host2 to the Interface on the Trusted Side of the Motorola Solutions RF Series Switch
works.
CLI (from any context) - ping <host/ip_address>
2. If it works then there is no problem in connectivity.
3. Check whether Host-1/Host-2 and Host-3 are on the same IP subnet.
If not, add proper NAT entries for configured LANs under FireWall context.
4. After last step, check again, that IP Ping from Host1 to the Interface on the Trusted Side of the Motorola Solutions RF
Series Switch works.
If it works then problem is solved.
A wired Host (Host-1) on the trusted side is not able to connect to a Wireless Host
(Host-2) or Wired Host (Host-3) on the untrusted side
1. Check that IP Ping from Host1 to the Interface on the Untrusted Side of the switch works.
2. If it works then there is no problem in connectivity.
3. Now check whether Host-1 and Host-2/Host-3 are on the same IP subnet.
If not, add proper NAT entries for configured LANs under FireWall context.
4. Once step 3 is completed, check again, that IP Ping from Host1 to the Interface on the Untrusted Side of the switch
works.
If it works then problem is solved.
C.5.0.1 Disabling of telnet, ftp and web traffic from hosts on the untrusted side does not work.
1. Check the configuration for the desired LAN under FW context (which is under configure context).
CLI - configure fw <LAN_Name>
2. Check whether ftp, telnet and web are in the denied list. In this case, web is https traffic and not http.
3. Ensure that "network policy" and "Ethernet port" set to the LAN is correct.
C.5.0.2 How to block the request from host on untrusted to host on trusted side based on packet
classification.
1. Add a new Classification Element with required Matching Criteria
2. Add a new Classification Group and assigned the newly created Classification Element. Set the action required.
3. Add a new Policy Object. This should match the direction of the packet flow i.e. Inbound or Outbound.
4. Add the newly created PO to the active Network Policy.