| Description |
This article explains the behavior of policy based firewall authentication when auth-on-demand is set to always. |
| Scope |
Firewall Policy:
Force authentication policy to take precedence over IP policy:
config user setting
Most useful debug:
diagnose debug flow filter addr x.x.x.x
Sample Debug Flow:
id=20085 trace_id=1000 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=6, 10.234.1.225:50281->172.217.26.68:443) tun_id=0.0.0.0 from port2. flag [S], seq 4065843363, ack 0, win 8192" id=20085 trace_id=1000 func=init_ip_session_common line=6042 msg="allocate a new session-00093fac, tun_id=0.0.0.0" id=20085 trace_id=1000 func=iprope_dnat_check line=5305 msg="in-[port2], out-[]" id=20085 trace_id=1000 func=iprope_dnat_tree_check line=830 msg="len=0" id=20085 trace_id=1000 func=iprope_dnat_check line=5317 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000" id=20085 trace_id=1000 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.47.15.254 via port1" id=20085 trace_id=1000 func=iprope_fwd_check line=789 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0" id=20085 trace_id=1000 func=__iprope_tree_check line=549 msg="gnum-100004, use svc hash, slot=27, len=6" id=20085 trace_id=1000 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-3, ret-matched, act-accept" id=20085 trace_id=1000 func=get_new_addr line=1228 msg="find SNAT: IP-10.47.1.175(from IPPOOL), port-50281" id=20085 trace_id=1000 func=__iprope_user_identity_check line=1818 msg="ret-stop" id=20085 trace_id=1000 func=iprope_fwd_check line=826 msg="after iprope_captive_check(): is_captive-0, ret-stop, act-drop, idx-0" id=20085 trace_id=1000 func=iprope_fwd_auth_check line=845 msg="after iprope_captive_check(): is_captive-0, ret-stop, act-drop, idx-0" id=20085 trace_id=1000 func=__iprope_check line=2276 msg="gnum-3, check-ffffffffa002be00" id=20085 trace_id=1000 func=__iprope_check_one_policy line=2029 msg="checked gnum-3 policy-4294967295, ret-no-match,act-drop" id=20085 trace_id=1000 func=__iprope_check_one_policy line=2029 msg="checked gnum-3 policy-4294967295, ret-no-match,act-drop" id=20085 trace_id=1000 func=__iprope_check_one_policy line=2029 msg="checked gnum-3 policy-4294967295, ret-no-match,act-drop" id=20085 trace_id=1000 func=__iprope_check_one_policy line=2029 msg="checked gnum-3 policy-4294967295, ret-no-match,act-drop" id=20085 trace_id=1000 func=__iprope_check_one_policy line=2029 msg="checked gnum-3 policy-4294967295, ret-no-match,act-drop" id=20085 trace_id=1000 func=__iprope_check_one_policy line=2029 msg="checked gnum-3 policy-4294967295, ret-matched, act-drop" id=20085 trace_id=1000 func=__iprope_check_one_policy line=2246 msg="policy-4294967295 is matched, act-redirect" id=20085 trace_id=1000 func=__iprope_check line=2293 msg="gnum-3 check result: ret-matched, act-redirect, flag-00000020, flag2-00000000" id=20085 trace_id=1000 func=iprope_policy_group_check line=4734 msg="after check: ret-matched, act-redirect, flag-00000020, flag2-00000000" id=20085 trace_id=1000 func=iprope_fwd_auth_check line=874 msg="iprope_auth_portal_check() result: ret-matched, act-redirect" id=20085 trace_id=1000 func=av_receive line=433 msg="send to application layer"
It shows which policy the checking stops:
id=20085 trace_id=1000 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-3, ret-matched, act-accept" id=20085 trace_id=1000 func=__iprope_user_identity_check line=1818 msg="ret-stop"
The auth portal will be visible if 'act-redirect' is present on the debug flow.
Example: http://10.234.1.175:1000/
In this testing, the username 'kraken' has been used which is from the LDAP_Group.
After login, the traffics are re-checked through the policy. This time hitting policy 6 which is configured for LDAP_Group.
id=20085 trace_id=6552 func=print_pkt_detail line=5863 msg="vd-root:0 received a packet(proto=6, 10.234.1.225:50760->104.16.148.64:443) tun_id=0.0.0.0 from port2. flag [S], seq 3574129298, ack 0, win 8192" id=20085 trace_id=6552 func=init_ip_session_common line=6042 msg="allocate a new session-00095bca, tun_id=0.0.0.0" id=20085 trace_id=6552 func=iprope_dnat_check line=5305 msg="in-[port2], out-[]" id=20085 trace_id=6552 func=iprope_dnat_tree_check line=830 msg="len=0" id=20085 trace_id=6552 func=iprope_dnat_check line=5317 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000" id=20085 trace_id=6552 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.47.15.254 via port1" id=20085 trace_id=6552 func=iprope_fwd_check line=789 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0" id=20085 trace_id=6552 func=__iprope_tree_check line=549 msg="gnum-100004, use svc hash, slot=27, len=5" id=20085 trace_id=6552 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-3, ret-matched, act-accept" id=20085 trace_id=6552 func=__iprope_user_identity_check line=1818 msg="ret-no-match" id=20085 trace_id=6552 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-6, ret-matched, act-accept" id=20085 trace_id=6552 func=__iprope_user_identity_check line=1818 msg="ret-matched" id=20085 trace_id=6552 func=__iprope_check line=2276 msg="gnum-4e20, check-ffffffffa002be00" id=20085 trace_id=6552 func=__iprope_check_one_policy line=2029 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=6552 func=__iprope_check_one_policy line=2029 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=6552 func=__iprope_check_one_policy line=2029 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=6552 func=__iprope_check line=2293 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=6552 func=get_new_addr line=1228 msg="find SNAT: IP-10.47.1.175(from IPPOOL), port-50760" id=20085 trace_id=6552 func=__iprope_check_one_policy line=2246 msg="policy-6 is matched, act-accept" id=20085 trace_id=6552 func=iprope_fwd_check line=826 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-6" id=20085 trace_id=6552 func=iprope_fwd_auth_check line=845 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-6" id=20085 trace_id=6552 func=iprope_reverse_dnat_check line=1307 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0" id=20085 trace_id=6552 func=iprope_reverse_dnat_tree_check line=923 msg="len=0" id=20085 trace_id=6552 func=fw_forward_handler line=879 msg="Allowed by Policy-6: SNAT" id=20085 trace_id=6552 func=__ip_session_run_tuple line=3490 msg="SNAT 10.234.1.225->10.47.1.175:50760"
Purpose. Policy 3 was created with a local user group to prompt the auth portal. After login in with the user, the firewall will re-check again the policy for allowed traffic.
Note: The sequence of the policy is very IMPORTANT. To not have a particular subnet exempted from prompting the auth portal, it is necessary to move the policy above the firewall authentication policy. Another way would be to specify the source IP for the subnet that is required for the policy-based firewall authentication. |
| Solution | Plan the sequence of the firewall policy and subnet addressing carefully before implementing the 'auth-on-demand' set to always. |
