GravityZone - Bitdefender on the NethServer network

firewall

(Manonthemoon Ak) #1

Hey,

I try to install the GravityZone - Bitdefender antivirus in my network.
The NethServer server blocks my ports. Antivirus does not connect with the cloud.
I need to open ports: 80, 443, 8443, 7074.
The first two look open. I’m trying to do it through PortForwarding.
Unfortunately it does not work. Maybe a command line?
Can anyone help? NethServer always surprises me with something :wink:


(Michael Kicks) #2

Install on what kind of computer? On NethServer?

Port forwarding is for publish/expose a service on public IP.
I think you should allow that ports in firewall for outgoin connection


(Markus Neuberger) #3

If I understand you correctly you need to open the ports on Nethserver to portforward to it from your router to let bitdefender reach your server:

config set fw_bdnet service status enabled TCPPorts 8443,7074 access green
signal-event firewall-adjust

http://docs.nethserver.org/projects/nethserver-devel/en/v7/services.html#add-a-new-network-service


(Manonthemoon Ak) #4

No. Installs from a PC. The PC is “Relay”. He will be sending packages.
But that is not the point.

A single instalation does not connect with the cloud. I did the test. I connected the computer to the LTE network. And everything works.
NethServer blocks my anti-virus. Sure ports.


(Michael Kicks) #5

did you read the log of firewall?


(Markus Neuberger) #6

Could it be you need some more ports? (outgoing should work by default)

https://www.bitdefender.com/support/gravityzone-communication-ports-1132.html

The Nethserver docs for port forwarding:

http://docs.nethserver.org/en/v7/firewall.html#port-forward

Did you configure Nethserver firewall to generally block all outgoing traffic or do you use a proxy or some web filter/reputation thing?

grafik


(Manonthemoon Ak) #7

I have not changed anything.
The server works as DHCP, network filter and samba.
I saw this list. Maybe I need to add more ports? The producer notes that it requires these 4 ports from the first post.

I have to move now. So the conversation will be limited. Of course, I will read all suggestions! :wink:


(Markus Neuberger) #8

Do you mean web content filter?
It has an option to block access to web sites using IP. Some antivirus get their updates via direct access to IP so deactivating it may help:

grafik

Can you check which ports are used incoming/outgoing via /var/log/firewall.log to see which ports are blocked?
You may also check it on your computer with LTE.

Sorry, I still don’t get how this Gravityzone thing works. Is it just an antivirus client or does it have an internal management server which needs the open ports for internal network?


(Gabriel GHEORGHIU) #9

Hi @Manonthemoon_AK,
Hi @mrmarkuz,

For his version of Bitdefender GravityZone, the management is on cloud.
On computers (WSs, Servers, …) must be installed a “client”.
The update of the client is done from Cloud. Also, the client communicate all time with the Management Console from Cloud.
Usual, during installation of the client, the installer software automatically open local firewall ports for communication with the Cloud. Connecting the WS direct to LTE, the client communicate with the Cloud. So, is not a WS issue.

Check the outbound path on NS (also @pike suggested that):
For testing only, create an “any to any” rule, from GREEN to RED to see if in this case everything is OK.
If yes, disable the rule and create another rule from GREEN to RED with 8443 and 7074 ports, opened, and check again.
Also, check the proxy path, as @mrmarkuz suggested. Do you use Proxy with SSL?

Did you have a router between NS and ISP? Maybe the issue is there.

PS:
You may need also a port forwarding rule (Inbound traffic) on NS, from RED to GREEN to open 7074 port for “Communication messages received from endpoints linked to Endpoint Security Relay”, if available.

Maybe it helps:

https://www.bitdefender.ro/support/bitdefender-small-office-security-(cloud-console)-communication-ports-1256.html

http://docs.nethserver.org/en/v7/web_proxy.html


(Michael Kicks) #10

This conflict, as far as i can remember, of the “cloud setup” needs. There’s no server into lan, only GravityZone Clients…


(Gabriel GHEORGHIU) #11

Yes, but as requirement, even if in the lan there is or there is not a server, at least one PC must be installed as “relay”.

"Warning

  • The first machine on which you install protection must have Relay role, otherwise you will not be able to deploy the security agent on other endpoints in the network.
  • The Relay machine must be powered-on and online in order for the clients to communicate with Control Center."

https://download.bitdefender.com/SMB/Cloud/GravityZone/en_US/Bitdefender_GravityZone_InstallationGuide_11_enUS.pdf

https://www.bitdefender.com/support/gravityzone-(cloud-console)-communication-ports-1256.html


(Manonthemoon Ak) #12

Just as my friends wrote. You can install it on a server or on one computer (Realy) that sends packets. I chose the second version.

I’m ashamed, but I do not know how to open these ports: / How do I switch GREEN to RED?
Can i am turn it on the panel? Is there only a command line?
I can attach logs to you if it helps with anything.


(Gabriel GHEORGHIU) #13

I don’t have the necessary resources to check if it is correct and if it works, but you can try from GUI:

  1. Gateway -> Firewall objects -> Services -> CREATE NEW:
  • Name: bdfgz-relayin
  • Protocol: TCP
  • Ports: 7074
  • SUBMIT
  1. Gateway -> Firewall objects -> Services -> CREATE NEW:
  • Name: bdfgz-relayout
  • Protocol: TCP
  • Ports: 7074,8443
  • SUBMIT
  1. Gateway -> Firewall rules -> Create rule at bottom:
  • Enabled: check
  • Action: Accept
  • Source: Role green
  • Destination: Role red
  • Service: type bdf in search box and choose the bdfgz-relayout service
  • Time condition: Always
  • SUBMIT
  • APPLY CHANGES
  1. Gateway -> Firewall rules -> Create rule at bottom:
  • Enabled: check
  • Action: Accept
  • Source: Role red
  • Destination: Role green
  • Service: type bdf in search box and choose the bdfgz-relayin service
  • Time condition: Always
  • SUBMIT
  • APPLY CHANGES
  1. Check the BDFGZ functionality

Or, you can try first to create a rule to check if BDFGZ pass through NS without restriction (in fact, everything will pass through NS, in and out):

  1. Gateway -> Firewall rules -> Create rule at bottom:
  • Enabled: check
  • Action: Accept
  • Source: Any
  • Destination: Any
  • Service: Any
  • Time condition: Always
  • SUBMIT
  • APPLY CHANGES
  1. Check the BDFGZ functionality

(Manonthemoon Ak) #14

Thank you very much.
I can always rely on you guys.
I’ll check in the morning and let me know.


(Manonthemoon Ak) #15

Thank you again!
It was enough to deselect the Filter in the web content filter.
Thanks, thanks, thanks :slight_smile: @mrmarkuz and @GG_jr
The rest will be useful for the future.


(Gabriel GHEORGHIU) #16

Hi @Manonthemoon_AK,

Good news!

Please mark as “solved” the @mrmarkuz answer.

Kind regards,
Gabriel


(Michael Kicks) #17

I you need the web content filter working you’ll have to add the exceptions for GravityZone Servers.