Allowing system communications in Access rules

You must add Access rules for some types of communication between SMC components.

The necessary communications between the engine and other SMC components are allowed in the predefined Firewall Template Policy, IPS Template, and Layer 2 Firewall Template. However, the predefined templates do not allow other SMC components to communicate through the engine to some third SMC component.

For example, when you have a engine and a Log Server at a remote site that are managed by a Management Server behind a engine at a central site, you must create rules in the Engine Policy at the central site to allow:
  • Management and monitoring connections to/from the remote engine.
  • Monitoring and log browsing connections from the central site to the remote Log Server.
  • Any remote-site Management Client connections to the Management Server at the central site.

If NAT is applied to the connections, Access rules alone are not enough. You must also create Location elements and add Contact Addresses for the elements to define which translated addresses are necessary for making contact.

If you have inline IPS engines or Layer 2 Engines, be careful that you do not define rules that would prevent other SMC components from communicating with each other.

There are predefined Service elements for all system communications. You can use these elements to create Access rules.