Possible firewall issue accessing Elasticsearch

[ConRock5000]

Hi,

I am accessing Elasticsearch via curl commands.
The issue I have is that the service is unreachable, even after using so-allow, unless I type the command:
sudo firewall-cmd --reload

Once I do that, the curl command instantly returns with results, but only for a little while, maybe 5 or 10 minutes, then I have to perform the firewall reload command again.

I tried adding the port to the firewall but still after 5 to 10 minutes the curl command fails unless I keep running the firewall reload command.

I setup a second Security Onion but ran into the issue again.

Am I missing a step? Is there another Security Onion command I need to run?

My setup is the SO eval running as a VM. I am accessing it from the host machine with curl commands.

Thanks in advance for any time and help.

Frank

[dougburks]

How exactly are you running so-allow?
https://docs.securityonion.net/en/2.3/so-allow.html

After running so-allow, do you see the firewall rule when you run the following command?

sudo iptables -nvL

[ConRock5000]

Thanks. It was user error.
I never bothered to look at the other options.
When I ran through setup I was just selecting Analyst. I needed to select Elasticsearch REST API.