2.1.27. Examples of inappropriate settings

Examples of inappropriate settings of Managed Firewall and Managed UTM are described.

2.1.27.1. Disabling DHCP (HA)

If the DHCP function has been "disabled", an ARP request is executed with source address 0.0.0.0 with respect to the network of Service Provider.
It has been confirmed through an NTT-supplied Load Balancer, Managed FW/UTM, and others that an ARP reply is not returned in this case. Redundancy by VRRP is affected and communication disconnection may be continued when switching is made.
When using VRRP, "enable" the DHCP function (address setting function) of the logical network to be connected.

2.1.27.2. MAC Address duplication (Single)

The problem of this inappropriate configuration was solved through maintenance works on January 16, 2018, and thus the configuration is currently usable.
Managed Firewall and Managed UTM generated before January 16, 2018 are also usable.
The same VRRPID (same MAC Address [00:00:5e:00:01:01]) as for Managed Firewall/UTM (previously recognized as an inappropriate configuration) )is preset at the opponents of Port4 and Port5.
Therefore, Managed Firewall/UTM cannot handle packets properly.
For VRRP IDs of items such as other menus/brought-in products on the logical network, set different values like 1 and 2.

ng-mac-single

2.1.27.3. MAC Address Duplicate (HA) 1

The problem of this inappropriate configuration was solved through maintenance works on January 16, 2018, and thus the configuration is currently usable.
Managed Firewall and Managed UTM generated before January 16, 2018 are also usable.
The same VRRPID (same MAC Address [00:00:5e:00:01:01]) as for Managed Firewall/UTM (previously recognized as an inappropriate configuration) )is preset at the opponents of Port4 and Port5.
Therefore, Managed Firewall/UTM cannot handle packets properly.
For VRRP IDs of items such as other menus/brought-in products on the logical network, set different values like 1 and 2.

ng-mac-ha

2.1.27.4. MAC Address duplication (HA) 2

From the viewpoint of Managed Firewall / UTM, the same VRRP ID (same MAC Address [00: 00: 5e: 00: 01: 01]) exists in Port 4 and Port 5 of itself.
Therefore, Managed Firewall/UTM cannot handle packets properly.
・The duplicate MAC Address must not be possessed by Managed FW / UTM.
For VRRP to be set for Managed Firewall / UTM interface please set different values ​​like 1 and 2.

ng-mac-ha2

2.1.27.5. MAC Address Duplicate (HA) 3

The same VRRPID (same MAC Address [00:00:5e:00:01:01]) as for Managed Firewall/UTM is preset at the opponents of Port4 and Port4.
Also, the same VRRP ID (same MAC Address [00: 00: 5e: 00: 01: 02]) exists at the opponents of Port 5 and Port 5 of itself.
Therefore, Managed Firewall/UTM cannot handle packets properly.
In the case of HA configuration, please make sure that the VRRP ID on the same logical network which this menu connects do not overlap. also, please make sure that the VRRP ID on the same L2 network such as colocation connection (CIC) and Enterprise Cloud 1.0 connection (EIC) which this menu connects do not overlap.

ng-mac-ha3

2.1.27.6. MAC Address duplication

If two subnets are generated for a single logical network and connected with Managed Firewall/UTM, ARP is sent to both Port4 and Port5.
This results in duplication of MAC Addresses, preventing packets from being handled properly.

ng-mac-subnet

2.1.27.7. Asymmetric path

Asymmetric paths are not supported by Managed Firewall/UTM.
Make settings so that the same path is used for both outgoing and incoming packets.

ng-asymmetry-route

2.1.27.8. Restriction of Source NAT Objects

If a Source NAT Object is generated for Managed Firewall/UTM, the set IP Address is possessed by Managed Firewall/UTM.
If the actually existing IP address 10.0.0.100 is set for a Source NAT Object as above, processing of communications to Server01 (10.0.0.100) becomes disabled.
Also, in the case where communications to 10.0.0.200 are subject to NAT in terms of IP 10.0.0.100, MAC is scrambled for with an actual device, resulting in communications failure.
Be sure to set an IP Address which has not been used by other devices.

ng-source-nat-object

2.1.27.9. Restriction of Destination NAT Objects

If a Destination NAT Object is generated for Managed Firewall/UTM, the set IP Address is possessed by Managed Firewall/UTM.
If the actually existing IP address 10.0.0.200 is set for the External IP of a Destination NAT Object as above, not only processing of communications to Server04 (10.0.0.200) but also the function of Destination NAT are disabled.
Moreover, communications from actually existing Server04 (10.0.0.200) are disabled.
*Scramble of MAC Addresses and confliction of IP/MAC occur.
Be sure to set an IP Address which has not been used by other devices.

ng-destination-nat-object1

2.1.27.10. Restriction of Destination NAT Objects (2)

In the case where a Destination NAT Object is generated for Managed Firewall/UTM, other Firewall Policies are affected if the same IP Address is used to set External IP and Mapped IP.
Making External IP and Mapped IP identical means non-execution of NAT, so do not make settings like this.

ng-destination-nat-object2

2.1.27.11. Restriction of routing

For Managed Firewall/UTM, two (or more) DefaultRoutes cannot be set.
Also, regarding Static Route, another gateway cannot be set with same Destination IP/Mask.
If such settings are made, packets cannot be handled properly and communications of users are affected.
Moreover, Source Routing and Policy Routing cannot be set.

ng-routing

2.1.27.12. Restrictions regarding configurations which include an AWS gateway and VPN gateway

The problem of this inappropriate configuration was solved through maintenance works on January 16, 2018, and thus the configuration is currently usable.
Managed Firewall and Managed UTM generated before January 16, 2018 are also usable.
However, if an AWS gateway and VPN gateway are connected with the same logical network, duplication of MAC addresses results in communication failure due to the specifications of Amazon Web Services connections and VPN gateway.
(Configuration previously recognized as inappropriate) Communications fail with configuration in which an AWS gateway and VPN gateway are connected through a single Managed Firewall or Managed UTM.
Build up a multiple-stage configuration composed of Managed FW or Managed UTM with an L3 node.
For some appliances, it has been confirmed that communications fail if duplicate MAC addresses are preset in the adjacent segments.
If you have any inquiry about the configuration to be built up, contact Service Provider.

ng-aws-vpn-gw

2.1.27.13. Restrictions regarding configurations which include two VPN gateways

The problem of this inappropriate configuration was solved through maintenance works on January 16, 2018, and thus the configuration is currently usable.
Managed Firewall and Managed UTM generated before January 16, 2018 are also usable.
However, if multiple VPN gateways are connected with the same logical network, duplication of MAC addresses results in communication failure due to the specifications of VPN gateways.
(Configuration previously recognized as inappropriate) Communications fail with configuration in which two VPN gateways are connected through a single Managed Firewall or Managed UTM.
Build up a multiple-stage configuration composed of Managed FW or Managed UTM with an L3 node.
For some appliances, it has been confirmed that communications fail if duplicate MAC addresses are preset in the adjacent segments.
If you have any inquiry about the configuration to be built up, contact Service Provider.

ng-vpn-vpn-gw

2.1.27.14. Restrictions regarding configurations which include two AWS gateways

The problem of this inappropriate configuration was solved through maintenance works on January 16, 2018, and thus the configuration is currently usable.
Managed Firewall and Managed UTM generated before January 16, 2018 are also usable.
However, if multiple AWS gateways are connected with the same logical network, duplication of MAC addresses results in communication failure due to the specifications of Amazon Web Services connections.
(Configuration previously recognized as inappropriate) Communications fail with configuration in which two AWS gateways are connected through a single Managed Firewall or Managed UTM.
Build up a multiple-stage configuration composed of Managed FW or Managed UTM with an L3 node.
For some appliances, it has been confirmed that communications fail if duplicate MAC addresses are preset in the adjacent segments.
If you have any inquiry about the configuration to be built up, contact Service Provider.

ng-aws-aws-gw

2.1.27.15. Restrictions regarding configurations which include two Internet gateways

The problem of this inappropriate configuration was solved through maintenance works on January 16, 2018, and thus the configuration is currently usable.
Managed Firewall and Managed UTM generated before January 16, 2018 are also usable.
However, if multiple Internet gateways are connected with the same logical network, duplication of MAC addresses results in communication failure due to the specifications of Internet connections.
(Configuration previously recognized as inappropriate) Communications fail with configuration in which two Internet gateways are connected through a single Managed Firewall or Managed UTM.
Build up a multiple-stage configuration composed of Managed FW or Managed UTM with an L3 node.
For some appliances, it has been confirmed that communications fail if duplicate MAC addresses are preset in the adjacent segments.
If you have any inquiry about the configuration to be built up, contact Service Provider.

ng-int-int-gw

2.1.27.16. Restrictions regarding configurations which include two inter-DC connection gateways

The problem of this inappropriate configuration was solved through maintenance works on January 16, 2018, and thus the configuration is currently usable.
Managed Firewall and Managed UTM generated before January 16, 2018 are also usable.
However, if multiple inter-DC connection gateways are connected with the same logical network, duplication of MAC addresses results in communication failure due to the specifications of remote data center connections.
(Configuration previously recognized as inappropriate) Communications fail with configuration in which two inter-DC connection gateways are connected through a single Managed Firewall or Managed UTM.
Build up a multiple-stage configuration composed of Managed FW or Managed UTM with an L3 node.
For some appliances, it has been confirmed that communications fail if duplicate MAC addresses are preset in the adjacent segments.
If you have any inquiry about the configuration to be built up, contact Service Provider.

ng-dc-dc-gw