topic Re: ANY policy not matching host traffic in General Topics

ANY policy not matching host traffic

Sly_Cooper — Tue, 29 Jan 2013 12:56:20 GMT

Hi,

I am troubleshooting SMTP access issue and for the same I have configured ANY allow policy for the host (src). I however dont see the SMTP matched in the policy. The ANY policy is device specific and is configured at top. All policies after that are pushed via Panorama. We have a default catch-all policy at the bottom and the SMTP traffic matches that policy. I can see ping, http access in my ANY allow policy. What is going wrong here?

Re: ANY policy not matching host traffic

reaper — Tue, 29 Jan 2013 13:41:13 GMT

Would you be able to add some screenshots that demonstrate what you are seeing ? an ANY rule in front of panorama "post" rules should pick up all traffic from that one src, a screenshot of your log (detail), the policy and your zones/interfaces may help pinpoint the issue

regards

Tom

Re: ANY policy not matching host traffic

gswcowboy — Tue, 29 Jan 2013 13:41:52 GMT

what do you see when you run the following? replace the ip with your source host's ip in addition to your specific zones

admin@oliver(active)> test security-policy-match from L3_Trust to L3_Untrust source 172.20.16.24 destination 199.127.127.54 protocol 6 application smtp destination-port 25

Re: ANY policy not matching host traffic

Sly_Cooper — Tue, 29 Jan 2013 13:51:01 GMT

I am running vwire based setup. When I try the > test security-policy match command, it shows the correct ANY policy.

Re: ANY policy not matching host traffic

spolo — Tue, 29 Jan 2013 22:59:26 GMT

You might want to check your logs here or the session table to further understand why it doesn't match your initial rule. It could be, for example, that it's the destination IP and not the source IP, or that it doesn't match on some other field (port? zone? etc.) . Any match condition that doesn't match exactly will skip that rule and move down the list. Since I believe it's highly likely you're missing a match criteria, I think the best way for us to help you here to see what you're missing is to post screen shots of the rule and a log entry, or the rule and the session information so we can help see what didn't match.

Re: ANY policy not matching host traffic

panwmod — Wed, 30 Jan 2013 14:55:55 GMT

You could also try to temporarily enable logging for all traffic, that will catch intra-zone traffic and the hard coded drop as well.

set system setting logging default-policy-logging <value> (Value is 0-300 seconds)

Re: ANY policy not matching host traffic

gswcowboy — Wed, 30 Jan 2013 15:16:37 GMT

I'd look at the flow basic information for this filtered source and destination IPs. This will help with root cause analysis. Call into Support or your ASC for further assistance.

Re: ANY policy not matching host traffic

Sly_Cooper — Thu, 31 Jan 2013 09:15:17 GMT

Sure. I will check with support. Thank you all.