Security

how to forward through a dmz from a network zone to another ?

emallinger
Communicator

Hello everyone,

 

I've got a local universal forwarder on an internal network. (all in linux env)

My intermediate forwarder and my deploymentServer are in another network zone, behind a dmz.

I've no splunk component in the dmz (my IFW & DS are on the other "side").

 

I've got only one gateway from my local fw to the dmz on port :80.

Then the flow can be rerouted to via proxy or reverse proxy depending on the need, to the target. At least, it's the theory.

 

I've put in my local forwarder :

- an alias my-ds.com:80 in deploymentClient.conf (to be routed "after" the dmz to my-DS.com:8089)

- an alias my-uf.com:80 in outputs.conf (to be routed "after' the dmz to my-uf.com:9997)

- [proxyConfig] with my-gateway:80 in server.conf

I route the 2 aliases with a modification of /etc/hosts

 

Of course, it does not work. I don't really understand how it is supposed to work.

Handshake is always ko for DS, and TCPOutputProc is paused because of the timeout of the targert (so not reacheable also).

 

Here's my question : am I doing this correctly or am I totally out of it ?

I've read the doc :

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/ConfigureSplunkforproxy

but I'm still stuck without being at least sure I'm trying this the right way.

 

Thank your for your suggestions,

Ema

 

Labels (1)
Tags (3)
0 Karma

emallinger
Communicator

Hi again,

news of today : proxy socks not available for us... So back to asking for port opening ?

Regards,

Ema

0 Karma

emallinger
Communicator

Hi,

Thanks, i've asked my colleague if we could try with proxy socks : but my understanding is it's only for forwarding the data to the next UF.

How am I supposed to reach for the DS behind the dmz ? I understand it's with [proxyConfig] in server.conf, if so, it should be the conf of the routing through the dmz that is faulty. What do you think ?

I did the picture and shared with the teams what I wanted to do (some time ago now) and I followed their directions, but for now we're stuck.

your suggestions will be appreciated.

Regards,

Ema

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
Is there an option that your network staff just open needed ports on FW and allow routing between those nodes (UF -> DS and Intermediate forwarder)? That would be the easiest way to manage it.
r. Ismo
0 Karma

emallinger
Communicator

Hi,

That would be too easy.

I asked, but so far, only port 80 is available, so I'm supposed to route through it then remap it to the right ones on the other side...

I'm not sure I'm doing this correctly : between the proxyConfig and the hosts file, everything is supposed to go first to my-gateway.com:80...

Regards,

Ema

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Haven’t try this by myself, but http proxy works only between UF and DS and if you have indexer discovery in use for that. BUT sending data from UF to indexers is totally different stuff. There you must have a socks5 proxy to proxying traffic via DMZ!

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Outputsconf

Basically you should use normal splunk server names on config and then add proxy parts to server.conf. No need to separate dns names etc if those are already working. Of course those names should works also on DMZ. From DMZ to DS + indexers there must be those ports open or other way to route/proxy that traffic to those servers.

I propose that you should draw picture what you are trying with IPs and ports and directions with all components. Then it’s much easier to explain your net op staff.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...