ANY policy not matching host traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ANY policy not matching host traffic

L4 Transporter

Hi,

I am troubleshooting SMTP access issue and for the same I have configured ANY allow policy for the host (src). I however dont see the SMTP matched in the policy. The ANY policy is device specific and is configured at top. All policies after that are pushed via Panorama. We have a default catch-all policy at the bottom and the SMTP traffic matches that policy. I can see ping, http access in my ANY allow policy. What is going wrong here?

7 REPLIES 7

Cyber Elite
Cyber Elite

Hi

Would you be able to add some screenshots that demonstrate what you are seeing ? an ANY rule in front of panorama "post" rules should pick up all traffic from that one src, a screenshot of your log (detail), the policy and your zones/interfaces may help pinpoint the issue

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L6 Presenter

what do you see when you run the following? replace the ip with your source host's ip in addition to your specific zones

admin@oliver(active)> test security-policy-match from L3_Trust to L3_Untrust source 172.20.16.24 destination 199.127.127.54 protocol 6 application smtp destination-port 25

I am running vwire based setup. When I try the > test security-policy match command, it shows the correct ANY policy.

You might want to check your logs here or the session table to further understand why it doesn't match your initial rule.  It could be, for example, that it's the destination IP and not the source IP, or that it doesn't match on some other field (port? zone? etc.) .  Any match condition that doesn't match exactly will skip that rule and move down the list.  Since I believe it's highly likely you're missing a match criteria, I think the best way for us to help you here to see what you're missing is to post screen shots of the rule and a log entry, or the rule and the session information so we can help see what didn't match.

L0 Member

You could also try to temporarily enable logging for all traffic, that will catch intra-zone traffic and the hard coded drop as well.

   set system setting logging default-policy-logging <value>  (Value is 0-300 seconds)

I'd look at the flow basic information for this filtered source and destination IPs. This will help with root cause analysis. Call into Support or your ASC for further assistance.

Sure. I will check with support. Thank you all.

  • 3805 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!