Does IDMGR Dump ID Number Correlate with Flow Basic Index Number?

15548

Created On 09/25/18 19:21 PM - Last Modified 06/08/23 06:32 AM

NAT

Next-Generation Firewall

Symptom

Symptoms

After verification that your policies are correct for both the security policy and NAT policy, you find network traffic is still not using the expected security policy. Because traffic is not using the expected security policy, it is either being allowed or denied by an incorrect policy.

An important thing to note ,when you configure your security policy at the application tab and have your service set to application default, is if non-standard ports are used by the application, then it may not match the security policy.

Example

If the SSH application you are troubleshooting uses a port other than Port 22, the intended security policy will not be hit and the application may get blocked by a different security policy. Application-default enforces the use of standard ports attributed to applications.

Diagnosis

There is a misconception that the dump idmgr command ID number output correlates with the Flow Basic debug index number and thus an incorrect diagnosis may given.

IDMG DUMP OUTPUT

admin@PA-200> debug device-server dump idmgr type security-rule all
 
ID         Name
---------- --------------------
1          intrazone-default
2          interzone-default
3          YouTube
4          SSH BRUTE FORCE TEST
5          VPN_ALLOW_192.168.55.1
6          Kids Strict Rule Base
7          Customer Allow All
8          Outbound Allow All
9          VLAN_100 to Trust Allow
10         Log All
11         Inbound Clean Up
12         T-Mobile Tower
13         DVR_Policy
 
Type: 13 Last id: 14 Mismatch cnt: 0

Resolution

The proper way to determine the security policy in relation to the Flow Basic index would be to run a show running security-policy command and count from the top down starting with index 0. From there, you can correlate the Flow Basic index with the security policy rule.

admin@PA-200> show running security-policy | match "\{"
DVR_Policy {                                     index 0
"SSH BRUTE FORCE TEST" {            index 1
VPN_ALLOW_192.168.55.1 {         index 2
"Kids Strict Rule Base" {                  index 3
"Customer Allow All" {                    index 4
"Outbound Allow All" {                   index 5  
"T-Mobile Tower" {           
"Inbound Clean Up" {       
intrazone-default {            
interzone-default {

Flow Basic Debug shows traffic match to index 5

== 2016-09-11 15:48:45.817 -0700 ==

Packet received at slowpath stage

Packet info: len 89 port 17 interface 17 vsys 1

wqe index 229141 packet 0x0x80000000b7aca0c6

Packet decoded dump:

L2: 44:39:c4:59:8c:38->b4:0c:25:4d:19:11, type 0x0800

IP: 10.200.10.118->4.2.2.2, protocol 17

version 4, ihl 5, tos 0x00, len 75,

id 27506, frag_off 0x0000, ttl 128, checksum 46062

UDP: sport 54308, dport 53, len 55, checksum 49523

Session setup: vsys 1

PBF lookup (vsys 1) with application none

Session setup: ingress interface ethernet1/2 egress interface ethernet1/4 (zone 3)

NAT policy lookup, matched rule index 0

DoS policy lookup, no rule matched, let pkt go

Policy lookup, matched rule index 5, <--- Security index

Allocated new session 40164.

Packet matched vsys 1 NAT rule 'SRC_NAT_10.200.x.x' (index 1),

source translation 10.200.10.118/54308 => 10.0.0.5/35941