01-29-2013 04:56 AM
Hi,
I am troubleshooting SMTP access issue and for the same I have configured ANY allow policy for the host (src). I however dont see the SMTP matched in the policy. The ANY policy is device specific and is configured at top. All policies after that are pushed via Panorama. We have a default catch-all policy at the bottom and the SMTP traffic matches that policy. I can see ping, http access in my ANY allow policy. What is going wrong here?
01-29-2013 05:41 AM
Hi
Would you be able to add some screenshots that demonstrate what you are seeing ? an ANY rule in front of panorama "post" rules should pick up all traffic from that one src, a screenshot of your log (detail), the policy and your zones/interfaces may help pinpoint the issue
regards
Tom
01-29-2013 05:41 AM
what do you see when you run the following? replace the ip with your source host's ip in addition to your specific zones
admin@oliver(active)> test security-policy-match from L3_Trust to L3_Untrust source 172.20.16.24 destination 199.127.127.54 protocol 6 application smtp destination-port 25
01-29-2013 05:51 AM
I am running vwire based setup. When I try the > test security-policy match command, it shows the correct ANY policy.
01-29-2013 02:59 PM
You might want to check your logs here or the session table to further understand why it doesn't match your initial rule. It could be, for example, that it's the destination IP and not the source IP, or that it doesn't match on some other field (port? zone? etc.) . Any match condition that doesn't match exactly will skip that rule and move down the list. Since I believe it's highly likely you're missing a match criteria, I think the best way for us to help you here to see what you're missing is to post screen shots of the rule and a log entry, or the rule and the session information so we can help see what didn't match.
01-30-2013 06:55 AM
You could also try to temporarily enable logging for all traffic, that will catch intra-zone traffic and the hard coded drop as well.
set system setting logging default-policy-logging <value> (Value is 0-300 seconds)
01-30-2013 07:16 AM
I'd look at the flow basic information for this filtered source and destination IPs. This will help with root cause analysis. Call into Support or your ASC for further assistance.
01-31-2013 01:15 AM
Sure. I will check with support. Thank you all.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
