Forwarding traffic will allow Valtix to control non-HTTP traffic. Here we'll create a ssh forwarding policy to control traffic from spoke1.
Step 1: Create Forwarding Service
- Navigate to Manage -> Security Policies -> Services
- Click Create
Enter following information:
Parameter Description Sample Value Service Type Forwarding, Reverse Proxy, or Forwarding Proxy. Forwarding Name Service object name. egress-fwd-ssh Description Description of service object forwarding object for tutorial Application IDs ApplicationID to match for this service object Empty Source NAT Perform Source NAT on this service Check
In service table, enter the following tables:
Parameter Description Sample Value Decryption Profile Decryption profile to use for decrypting secure traffic Empty Dst Port Destination port to match for the service 22 Protocol TCP or UDP. Default is TCP TCP
Step 2: Create Forwarding Policy
- Click Manage -> Security Policy -> Rules
- Find the ruleset name that's associated with the Egress Gateway
- Click the ruleset name
- There is already a rule here to allow the health check traffic from the load balancer on port 65534 (this port number was specified during the Gateway creation)
- Click Create to create a new rule
A new rule editor opens in the slide over panel on the right
Parameter Description Sample Value Name Name of the rule any-egress-ssh Description [Optional] Description of the rule. Tutorial for forwarding Type Forwarding, Reverse Proxy, or Forwarding Proxy. Default is Reverse Proxy. Forwarding Service Service object for this rule to match against. egress-fwd-ssh Source Source address object for this rule. any Destination Destination address object for this rule any Action Action to perform if traffic matches this rule Allow Log
Profiles can be left empty. Profiles will provide deep packet inspection on traffic, which we'll add in step 2 of defend phase.
- Click Add
- Click Save to save all the rules and click Yes in the confirmation
- It takes a few seconds to save the policy. Once the ruleset is saved, the Gateway instances pull the ruleset from the Controller using the regular message exchange process
Step 3: Validate Traffic
- Copy ssh private key of spoke2 EC2 instance to spoke1 EC2 instance.
scp -i <private key of spoke1 EC2> <private key of spoke2 EC2> centos@<eip of spoke1 EC2>:/tmp/
- Note: You will need to ensure that you have allowed access to the spoke1 EC2 instance from your laptop.
- SSH from your laptop to spoke1 EC2 instance.
- SSH from spoke1 EC2 instance to spoke2 EC2 instance through private ip of EC2 instance. eg ssh -i <spoke2 ec2 ssh private key> centos@<private_ip>
- On the Valtix Dashboard go to Investigate -> All Events
- Select the Gateway at the top
- Check that the logs show up in the table