Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In-network table is misleading and lacking part of the requirements #2440

Open
1 task done
michaelrstewart1 opened this issue Dec 15, 2023 · 1 comment
Open
1 task done

In-network table is misleading and lacking part of the requirements #2440

michaelrstewart1 opened this issue Dec 15, 2023 · 1 comment
Assignees
@netapp-alavoie

Comments

@michaelrstewart1
Copy link

Page URL

https://docs.netapp.com/us-en/cloudinsights/concept_cs_agent_requirements.html

Page title

Workload Security Agent Requirements

Summary

There are two issues with the “In-network rules” table in the documented workload security agent requirements.
https://docs.netapp.com/us-en/cloudinsights/concept_cs_agent_requirements.html#cloud-network-access-rules

  1. The first issue is that the “Destination” column is misleading. When this table is interpreted from a strict networking language perspective, the term “destination” makes it seem like the destination column is describing what will be the “destination address” for the given networking exception/rule. This specifically is confusing for the TCP 35000-55000 rule where the “destination address” in the described rule should be the agent but the “destination” column introduces confusion and can lead to someone thinking they need to make the destination address the data LIF. I suggest renaming that “Destination” column to something less confusing, such as “Interface”, or something more representative.

  2. The TCP port 7 row describes the requirement for port 7 to be open from the agent to the data LIF(s). In reality it appears there are two steps to this connectivity check, and they are not the same port or protocol…

The first step is the TCP port 7 echo request from agent to data LIF(s)
The second step is (upon port 7 success) the data LIF performs an ICMP ping connectivity check from the data LIF to the agent

If the second step above fails then the FPolicy channel is never opened and an error is thrown.
Since this ICMP ping connectivity from the data LIF to the agent is a requirement for the product to work, we should definitely have a row dedicated to that in the “In-network rules” table.

Public issues must not contain sensitive information

  • This issue contains no sensitive information.
@netapp-alavoie
Copy link
Contributor

Hi Michael! Thanks for this feedback. These changes seem straight-forward. I'll look into getting the page updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@netapp-alavoie netapp-alavoie

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michaelrstewart1 @netapp-alavoie