Unable to connect via SSH or https

[nicopag]

Hi, I am trying to connect to my firewall UTM via https but I cant. I CAN connect with smartdashboard but not with ssh or https.
Normaly I CAN connect with ssh or https, but since the last change that was via https deleting the "ANY" host in the ssh or gui clients.
now I cant, but if I check in my gui clients in the sysconfig my client IP is there.
I dont know what can I do to connect.
The error when I try https is this
I try to restart and nothing, I verify the gui-clients file and its ok my client IP is there, also I try using Any and nothing!! I check the rules and nothing

The manager interface is the correct and remember that everything works fin util my change via https deleting the "any" host

What can I do??

[chillyjim]

Cool that's a good one...

Anything at all in the logs? Double check the topology on the gateway.

After that I'd say its time to move onto fw monitor debugging.

[nicopag]

Jim? Well I checked the topolgy and it´s ok and I didnt change anything there. Which log do you want me to analyze? This fw is in production! Tell me how to debug this . . I amdriving me crazy!!
Really thanks

[nicopag]

Here is the tracker log when I try to connect via ssh


bizarre!!!

I think that the problem here is the gui-clients file or something like that, but i delete it and I create it again!!
Another thing that I can tell you is that my Topolgy is like this:
eth0 External
eth1 192.168.1.2 internal
eth2 192.168.2.2 internal

the managament is attach to the eth1, BUT I dont know why I can access the page from the Internet to my public IP, obviously the same error appears, but I dont think that this is correct while I am not publishing the management in that interface . .. .

[EG-FW1]

--Gui Clients is just for access the Smartdashboard tool for policy/log viewer/fw monitor. --
Via the web browser when you deleted from the Device/web and ssh clients did you put your own ip in first "192.168.1.? so you could gain access from your machine still via ssh and Web to Splat??

Seems to me like you have locked yourself out. When you add a entry via the web browser's device/web and ssh access it will put a entry I believe in the /etc/hosts.allow file. This is what controls your access to the httpd server and ssh on splat.

From the /etc/hosts.allow file.( Need to be in expert mode.)

[Expert@FW1]# cat /etc/hosts.allow
#
# This file specifies network zones, from which an administrator may log in.
#
# WARNING: DO NOT CHANGE THE CONTENT OF THIS FILE MANUALLY!!!
#
# Changing the file's content manually may have severe security implications.
#
# To change the allowed zones use either the Web GUI or the cpadminip
# command-line utility
ALL: 192.168.2.1
ALL: 192.168.2.10

[nicopag]

Great, i will try it on Wednesday and I tell you . . .thanks

[nicopag]

This error appears when I try to use cpadminip tool

Error: failed to change allowed address list

mm? How I change this?

[nicopag]

Another interesting thing is that my mgmt interface is 192.168.1.x but if I try from Internet https://publicip the webui appears, I dont understand why it supposed to be in the Internal...

[Doeschi]

and the topology of your firewall object is set correctly?

[nicopag]

Yes, I have verified and Its ok.

[EG-FW1]

"Another interesting thing is that my mgmt interface is 192.168.1.x but if I try from Internet https://publicip the webui appears, I dont understand why it supposed to be in the Internal..."

This is normal.. When you setup you used the internal Ip. When the cert was created it used the internal ip.

So was the file /etc/hosts.allow empty?

I have never used the tool they described in the /etc/hosts.allow file. I don't think it would hurt to add your own entry. As long as the format is correct. But who knows.

[nicopag]

Well, it wasnt empty, I have left one IP there!! So I connecy with that IP and everythings goes ok.
Now, I dont know what happend if I try to "vi" the file, I read in other forum that you can edit it with vi and nothing happens, but who knows....

the other thing, the webui in the INTERNET, I dont think that is normal!! i have disabled the webui to deny the access to that page from the Internet.
Look, I have some services published in that IP with https, so I think that is the problem. Suppose this:
eth0: 200.40.200.1 public (this is no real)
eth1: 192.168.1.2 internal
In my sysconfig the eth1 is the mgtm interface, BUT if I try from the Internet https://200.40.200.1 the webui appears!! Is that normal?

Really thannks 4 all

[EG-FW1]

Well, it wasnt empty, I have left one IP there!! So I connecy with that IP and everythings goes ok.
Now, I dont know what happend if I try to "vi" the file, I read in other forum that you can edit it with vi and nothing happens, but who knows....

the other thing, the webui in the INTERNET, I dont think that is normal!! i have disabled the webui to deny the access to that page from the Internet.
Look, I have some services published in that IP with https, so I think that is the problem. Suppose this:
eth0: 200.40.200.1 public (this is no real)
eth1: 192.168.1.2 internal
In my sysconfig the eth1 is the mgtm interface, BUT if I try from the Internet https://200.40.200.1 the webui appears!! Is that normal?

Really thannks 4 all

So, Using that that Ip that is in the file, You can connect with the web browser and manage the device? So you can add new ip's via that way then. No need to use VI.

Did you specify what interface the Webui is avaiable on. Sounds like you have it selected to all interfaces? As a result if that is the case then yes you could access it from the internet. IF 1) your Security Policy allows it. 2) in the Web/SSH access you have it set to allow any.