I am troubleshooting SMTP access issue and for the same I have configured ANY allow policy for the host (src). I however dont see the SMTP matched in the policy. The ANY policy is device specific and is configured at top. All policies after that are pushed via Panorama. We have a default catch-all policy at the bottom and the SMTP traffic matches that policy. I can see ping, http access in my ANY allow policy. What is going wrong here?
Would you be able to add some screenshots that demonstrate what you are seeing ? an ANY rule in front of panorama "post" rules should pick up all traffic from that one src, a screenshot of your log (detail), the policy and your zones/interfaces may help pinpoint the issue
what do you see when you run the following? replace the ip with your source host's ip in addition to your specific zones
admin@oliver(active)> test security-policy-match from L3_Trust to L3_Untrust source 172.20.16.24 destination 18.104.22.168 protocol 6 application smtp destination-port 25
You might want to check your logs here or the session table to further understand why it doesn't match your initial rule. It could be, for example, that it's the destination IP and not the source IP, or that it doesn't match on some other field (port? zone? etc.) . Any match condition that doesn't match exactly will skip that rule and move down the list. Since I believe it's highly likely you're missing a match criteria, I think the best way for us to help you here to see what you're missing is to post screen shots of the rule and a log entry, or the rule and the session information so we can help see what didn't match.
You could also try to temporarily enable logging for all traffic, that will catch intra-zone traffic and the hard coded drop as well.
set system setting logging default-policy-logging <value> (Value is 0-300 seconds)
I'd look at the flow basic information for this filtered source and destination IPs. This will help with root cause analysis. Call into Support or your ASC for further assistance.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!