The API Gateway uses iptables as a software firewall to protect the API Gateway appliance and the applications running on it. The firewall ruleset for the API Gateway can be configured via the Manage Firewall Rules dialog within the Manage Listen Ports task. This feature is available as of 7.1.0 and later and should be used in lieu of manually modifying the default iptables ruleset.The API Gateway application--when part of an API Gateway appliance deployment--is expecting certain firewall rules to be present in the default ruleset (located at /etc/sysconfig/iptables). The Gateway may fail to start if this ruleset has been changed outside of the Manage Firewall Rules dialog.
The following error message may be printed in the Gateway logs when trying to start:Did not find a matching start rule in current iptables config (Firewall rules not updated)
This message indicates that the API Gateway was attempting to find the appropriate starting position to make changes to the active ruleset and was unable to do so. The Gateway looks for a specific rule in the ruleset and will fail to update the firewall rules if that rule is modified or not present.
This issue can be troubleshot by ensuring that:
Ensure that the software firewall is running by executing service iptables restart. This will stop and start the software firewall on the Gateway. Ensure that the firewall ruleset has not been changed by executing rpm -qV ssg-appliance | grep iptables. No entry will be printed if the software firewall rules are set appropriately.
If the issue is resolved by restarting the software firewall rules then ensure that the software firewall remains active at all times. If reinitializing the software firewall does not assist with the issue or if the firewall rules have been changed then please contact CA Support for further assistance.