Skip to content

Forwarding

Forwarding traffic will allow Valtix to control non-HTTP traffic. Here we'll create a ssh forwarding policy to control traffic from spoke1.

Step 1: Create Forwarding Service

  1. Navigate to Manage -> Security Policies -> Services
  2. Click Create

  3. Enter following information:

    Parameter Description Sample Value
    Service Type Forwarding, Reverse Proxy, or Forwarding Proxy. Forwarding
    Name Service object name. egress-fwd-ssh
    Description Description of service object forwarding object for tutorial
    Application IDs ApplicationID to match for this service object Empty
    Source NAT Perform Source NAT on this service Check

  4. In service table, enter the following tables:

    Parameter Description Sample Value
    Decryption Profile Decryption profile to use for decrypting secure traffic Empty
    Dst Port Destination port to match for the service 22
    Protocol TCP or UDP. Default is TCP TCP

  5. Click Save

Step 2: Create Forwarding Policy

  1. Click Manage -> Security Policy -> Rules
  2. Find the ruleset name that's associated with the Egress Gateway
  3. Click the ruleset name
  4. There is already a rule here to allow the health check traffic from the load balancer on port 65534 (this port number was specified during the Gateway creation)
  5. Click Create to create a new rule

  6. A new rule editor opens in the slide over panel on the right

    Parameter Description Sample Value
    Name Name of the rule any-egress-ssh
    Description [Optional] Description of the rule. Tutorial for forwarding
    Type Forwarding, Reverse Proxy, or Forwarding Proxy. Default is Reverse Proxy. Forwarding
    Service Service object for this rule to match against. egress-fwd-ssh
    Source Source address object for this rule. any
    Destination Destination address object for this rule any
    Action Action to perform if traffic matches this rule Allow Log

  7. Profiles can be left empty. Profiles will provide deep packet inspection on traffic, which we'll add in step 2 of defend phase.

  8. Click Add
  9. Click Save to save all the rules and click Yes in the confirmation
  10. It takes a few seconds to save the policy. Once the ruleset is saved, the Gateway instances pull the ruleset from the Controller using the regular message exchange process

Step 3: Validate Traffic

  1. Copy ssh private key of spoke2 EC2 instance to spoke1 EC2 instance. scp -i <private key of spoke1 EC2> <private key of spoke2 EC2> centos@<eip of spoke1 EC2>:/tmp/
    1. Note: You will need to ensure that you have allowed access to the spoke1 EC2 instance from your laptop.
  2. SSH from your laptop to spoke1 EC2 instance.
  3. SSH from spoke1 EC2 instance to spoke2 EC2 instance through private ip of EC2 instance. eg ssh -i <spoke2 ec2 ssh private key> centos@<private_ip>
  4. On the Valtix Dashboard go to Investigate -> All Events
  5. Select the Gateway at the top
  6. Check that the logs show up in the table