Imperva Cyber Community

Expand all | Collapse all

How to use the secondary management port MGT2

  • 1.  How to use the secondary management port MGT2

    Posted 06-13-2021 09:49
    Hi,

    I have a special requirement to use the secondary management port (MGT2) to use for Out-of-band network. I configured the IP address and able to reach the Gateway IP, but from network unable to access the Appliance through SSH/GUI, not even able to ping.

    eth0 -> 10.10.10.100/24
    eth1 -> 192.168.1.50/24

    default gateway -> 10.10.10.1

    I am trying to reach (ping, ssh, https) to 192.168.1.50 from IP 192.168.1.83/24 but no luck.

    can anyone help me here.
    #AllImperva

    ------------------------------
    Pradeep Kumar Mall
    Professional Services Consultant
    Dubai
    ------------------------------


  • 2.  RE: How to use the secondary management port MGT2

    Posted 06-24-2021 15:06
    Hi Pradeep,
    There are a number of things that I beleive are causing your issues. My comments below should only be used to fault find these issues
    1) during FTL configuration your asked to enter a Default route and also if you want to associate it when a particular interface. this locks doen the management routing to a particular interface so in your case all routing CLU GUI traffic will go via eth0 because the system applies a harden config to enforce this.
    2) if you want to route out of the Eth1 NIC you will need to add a static route to the destination host or Network you are trying to contact  use impcfg  to add static routes -  check using traceroute <destination IP address> is a good way to see how traffic flows out of the server. 
    3) the hardening process of Securesphere locks down ping responses in fact it turns off responses at an OS level.  - use 'more /proc/sys/net/ipv4/icmp_echo_ignore_all'   to check a '1' respinse means the system will NOT respone to icmp requests. 
    4) if you added the secondary IP address 192.168.1.50 (Eth1) via the OS and not through impcfg then the /etc/ssh_config file will only have an entry to listen on the first Mgmt port Eth0 (10.10.10.100) this is why you cannot ssh to it.   - use ss -nlput | grep ssh  to see what interfaces are listening for ssh, if your not listening on Eth1 then you may need to edit the sshd.conf file to add a listener . Remember to back up first and the restart the ssh service after you have finished editing the file.
    5) also check you iptables restrictions  in case there is anything within the Gx firwall thats being dropped by iptables.

    Hope this helps

    Mike



    ------------------------------
    Mike Richmond
    technical consiltant
    Brookcourt Solutions ltd
    Redhill
    ------------------------------