Fibre Channel (SAN)

Reply
Contributor
Posts: 21
Registered: ‎06-25-2015
Accepted Solution

policy deactivated

Hello All,

 

yesterday I received a report with an issue, where ports 23 and 80 were opened. As I have a policy blocking those ports, I opened the swich interface by ssh and I saw a policy created to ipv4 as "defined" instead "active". I already did a research thru supportshow using "ipfilter" and also the policy name "ipv4_block" and there are no evidences that somebody did a "deactivate" of this policy.

There are another reason that a policy could be deactivated withou the ipfilter --deactivate command?

Any guess to another research to find out why this policy was not activated?

Best regards

Brocade Moderator
Posts: 318
Registered: ‎08-31-2009

Re: policy deactivated

Hello,

 

Which FOS version are you using?

On which report do you have seen the ports were open? From the switch?

 

 

 

Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
Contributor
Posts: 21
Registered: ‎06-25-2015

Re: policy deactivated

Hello Thierry, this switch is running Fabric OS:  v7.4.1d. My first tought was... somebody deactivated the policy! But thru supportshow looking by the "ipfilter" and the policy name I did not found any evidence. Not sure if we are facing a problem with the FOS or if we have a security fail into our policy. I did not saw ports opened, I just saw the policy created to ipv4 as not activated as I did last March 24th.

Taking the advantage of this subject, if I don't have a policy to ipv4, it means that all ports are ready to use or nothing will works until have a policy activated?

Best regards.

Highlighted
Brocade Moderator
Posts: 318
Registered: ‎08-31-2009

Re: policy deactivated

I have not seen a similar issue. I guess that it has not been activated for some reasons.

If no policy is activated, all ports will be usable.

Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
Contributor
Posts: 21
Registered: ‎06-25-2015

Re: policy deactivated

well, it was activated, look this piece of the supportshow report...

 

Fri Mar 24 15:30:53 2017         carlosmp, FID 128, 9.80.239.133, ipfilter --addrule cmp1 -rule 3 -sip any -dp 80 -proto tcp -act deny
Fri Mar 24 15:31:56 2017         carlosmp, FID 128, 9.80.239.133, ipfilter --activate cmp1
Fri Mar 24 15:32:05 2017         carlosmp, FID 128, 9.80.239.133, ipfilter --save cmp1
Mon Oct 16 13:04:29 2017         carlosmp, FID 128, 9.80.201.26, ipfilter --activate cmp1

 

look that between March 24th when I activated the first time this policy, at the supportshow report using the filter "cmp1" the other command was issued yesterday when I checked the policy "defined" instead "active", then I issued the activate again.

Brocade Moderator
Posts: 318
Registered: ‎08-31-2009

Re: policy deactivated

Do you see any event logged into errdump concerning ipfilter ?

Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
Contributor
Posts: 21
Registered: ‎06-25-2015

Re: policy deactivated

No events about ipfilter neither about the policy
Brocade Moderator
Posts: 414
Registered: ‎03-29-2011

Re: policy deactivated

Hi,

 

check the auditdump (auditdump -s)  also for activities. Further, any firmwaredownload or hareboot or hafailover since:

 

Fri Mar 24 15:31:56 2017         carlosmp, FID 128, 9.80.239.133, ipfilter --activate cmp1
Fri Mar 24 15:32:05 2017         carlosmp, FID 128, 9.80.239.133, ipfilter --save cmp1

 

or have you used chassisdistribute on other switches in fabric to push out ipfilter?




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
Contributor
Posts: 21
Registered: ‎06-25-2015

Re: policy deactivated

Thanks Martin to provide this (auditdump -s) option, helps a lot our research and I found the issue using this process.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook