Services Allowed on The HA and ADMIN Interfaces

By default, only administrative traffic (ping and SunScreen Administration services) is allowed on the HA interface. This design keeps the network as secure as possible. However, an administrator may have some need to open up other services on this private network. This can be accomplished by adding filtering rules that include the HA network as the destination address. For example, suppose that the dedicated HA network is 172.16.0.0/24. The following policy would allow Telnet traffic to and from any address on the HA network:

edit> list interface 
qfe0 "qfe0" HA "hanetwork"  INCOMPLETE
edit> list address hanetwork
"hanetwork" RANGE 172.16.0.0/24
edit> list rule 1
1 "telnet" "hanetwork" "hanetwork" ALLOW

The destination address must be the same network object that is used in the interface definition. An equivalent object with a different name will not work. See "To Allow Non-Administrative Traffic on an HA Network" in the SunScreen 3.2 Administration Guide for more information.

Traffic allowed over the ADMIN interface is defined by the service Remote Administration, which by default is just TCP port 3852 or port 3853. To allow the Administration Station to Telnet to any of the Screens, add a filter to the Remote Administration service.

The traffic on the ADMIN interface must be encrypted. If it is not encrypted, the Screen drops it.

Before changing the default behavior, consider the security implications of opening up access to your firewall. Do you really want or need to allow access? If you decide to make changes, be sure that Administration Station is in a secure location.