Complete the following fields to configure the system TLS connection for the Controller, Gateway, Connection Broker, LogServer, LogForwarder, and Metrics Aggregator appliances:
TLS Port. The inbound TLS connection port to the appliance. For a Gateway appliance this is also used for TLS tunnel between client and Gateway.
Allowed Sources. To allow a connection to this port the requesting IP address must match at least one of the allowed sources. By default the list contains two entries: address (0.0.0.0) and netmask 0 & address :: and netmask 0.
If the list is empty, no connections are allowed.
If an entry contains address, netmask, and interface, then both subnet and interface must match.
If an entry only contains address and netmask, then only subnet needs to match.
If an entry only contains interface, then only the interface must match.
Example:
Address | (OPTIONAL: IPv4 or IPv6 address of host or subnet to allow) |
Netmask Length | (OPTIONAL: Netmask, set to 32 (IPv4) or 128 (IPv6) for single host) |
Interface | (OPTIONAL: ethX, only allow connections through this interface) |
SPA Mode. Override the SPA mode on this appliance.
The SPA override feature allows the SPA mode to be changed for a specific appliance. This is useful when the global SPA mode is not appropriate for all situations. For example:
When a Site with two Gateways needs added security, then UDP-TCP SPA mode could be enabled just for these two appliances.
When users have issues connecting from some locations and a fallback Gateway could be set to allow the use of TCP SPA mode.
Refer to the section on Single Packet Authorization before enabling this feature.
Enable Proxy Protocol. When enabled the appliance will only accept packets which have the proxy protocol header included.
NOTE
The traffic is now coming from a known source so this should be added to Allowed Sources.
Failure to do this introduces a security risk, as it becomes easy for a malicious user to send a proxy protocol packet allowing them to misrepresent their source IP address by using the proxy protocol header. This in turn will set a fake ClientSrcIP claim that can be used to assign policies or in conditions.
Refer to Network Connectivity for more information.