ANY policy not matching host traffic

Reply
Highlighted
L4 Transporter

ANY policy not matching host traffic

Hi,

I am troubleshooting SMTP access issue and for the same I have configured ANY allow policy for the host (src). I however dont see the SMTP matched in the policy. The ANY policy is device specific and is configured at top. All policies after that are pushed via Panorama. We have a default catch-all policy at the bottom and the SMTP traffic matches that policy. I can see ping, http access in my ANY allow policy. What is going wrong here?

Highlighted
L7 Applicator

Re: ANY policy not matching host traffic

Hi

Would you be able to add some screenshots that demonstrate what you are seeing ? an ANY rule in front of panorama "post" rules should pick up all traffic from that one src, a screenshot of your log (detail), the policy and your zones/interfaces may help pinpoint the issue

regards

Tom

reaper - PANgurus.com
I drink and I know things
Highlighted
L6 Presenter

Re: ANY policy not matching host traffic

what do you see when you run the following? replace the ip with your source host's ip in addition to your specific zones

admin@oliver(active)> test security-policy-match from L3_Trust to L3_Untrust source 172.20.16.24 destination 199.127.127.54 protocol 6 application smtp destination-port 25

Highlighted
L4 Transporter

Re: ANY policy not matching host traffic

I am running vwire based setup. When I try the > test security-policy match command, it shows the correct ANY policy.

Highlighted
L4 Transporter

Re: ANY policy not matching host traffic

You might want to check your logs here or the session table to further understand why it doesn't match your initial rule.  It could be, for example, that it's the destination IP and not the source IP, or that it doesn't match on some other field (port? zone? etc.) .  Any match condition that doesn't match exactly will skip that rule and move down the list.  Since I believe it's highly likely you're missing a match criteria, I think the best way for us to help you here to see what you're missing is to post screen shots of the rule and a log entry, or the rule and the session information so we can help see what didn't match.

Highlighted
Not applicable

Re: ANY policy not matching host traffic

You could also try to temporarily enable logging for all traffic, that will catch intra-zone traffic and the hard coded drop as well.

   set system setting logging default-policy-logging <value>  (Value is 0-300 seconds)

Highlighted
L6 Presenter

Re: ANY policy not matching host traffic

I'd look at the flow basic information for this filtered source and destination IPs. This will help with root cause analysis. Call into Support or your ASC for further assistance.

Highlighted
L4 Transporter

Re: ANY policy not matching host traffic

Sure. I will check with support. Thank you all.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!