topic ping between server is not working in General Topics

ping between server is not working

KotreshaMC — Tue, 07 Jun 2016 12:27:14 GMT

Hi,

I have created a rule to allow ping between to and fro from servers below is the scenario

source zone: A, B, C

Source IP: 1 , 2 , 3

Destination zone: A, B, C

Destination IP: 1, 2, 3

Application: Ping

Service: application-default

action: Allow

But the rule is not triggering, the traffic is denied due to dafault deny...

can anyboady tell me the whats the reason for this?? and how i can resolve it?

Thanks in advance

Re: ping between serve is not working

Transporter — Mon, 06 Jun 2016 14:37:56 GMT

hi,

Reason is that the traffic is not hitting your policy, instead hits your default deny rule.

Re: ping between serve is not working

jdelio — Mon, 06 Jun 2016 15:54:58 GMT

As the policy is Top-down, it will match on the rules in order.

You have created the rule to allow Ping, but the question is where is this rule in the policy?

Re: ping between serve is not working

KotreshaMC — Tue, 07 Jun 2016 06:55:50 GMT

the rule is on the top of default deny but still it's not working.

Re: ping between serve is not working

kiwi — Tue, 07 Jun 2016 07:40:32 GMT

Can you enable logging of your default deny rule (this is not enabled by default).

Can you confirm the zones / IP's when you check the actual drop log ?

Cheers,

-Kim.

Re: ping between serve is not working

KotreshaMC — Tue, 07 Jun 2016 07:43:03 GMT

Yes we have enabled it and i can see it the Zones and ips are correct but still it's not working

Re: ping between serve is not working

reaper — Tue, 07 Jun 2016 07:50:01 GMT

are you seeing ICMP ping being dropped or UDP?

the AppID application 'ping' is for ICMP echo requests only. if your host is sending out UDP pings, they will not match

Re: ping between serve is not working

KotreshaMC — Tue, 07 Jun 2016 08:10:56 GMT

I can see ICMP IP protocol in the logs.

Re: ping between serve is not working

Transporter — Tue, 07 Jun 2016 08:49:10 GMT

Hi,

Just for test add in the policy application field "ping" and "ICMP" apps and try.

Re: ping between serve is not working

tsrivastav — Tue, 07 Jun 2016 10:48:55 GMT

Is the server is located behind the firewall and you are trying to ping from outside ? ( nat and security policy needs to be checked )

If that is not the case then it may also happen the new sessions are getting matched with the old discard sessions.

Most likely as me peers mentioned above either the deny policy is above the allow policy or there the zones and the ips needs to be cross checked once again

Tarang

Re: ping between serve is not working

KotreshaMC — Tue, 07 Jun 2016 12:26:35 GMT

Yes i can confirm that the rule is above the default deny and we are allowing ping to and fro from cloud servers to internal servers. There no NAT applied on this.

however i have added ICMP to the rule and waiting for the test

Re: ping between serve is not working

KotreshaMC — Mon, 13 Jun 2016 04:38:51 GMT

After adding icmp to application it's started working fine.

Thanks for your all support guys.

Re: ping between serve is not working

Transporter — Mon, 13 Jun 2016 08:26:06 GMT

Glad it is working!