How to handle firewall self-traffic (management traffic / service routing)

Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to handle firewall self-traffic (management traffic / service routing)

L3 Networker


when I have a global clean-up rule that blocks/logs all unwanted traffic, my firewall management traffic (DNS lookups, PAN-DB updates etc) stop working if I configure it to use any other interface but the dedicated management ports.  So I added a lot of rules to allow this traffic. Which is really not what I want. I also see inconsistencies. For example, SMTP traffic from the firewall (for sending alarm emails) seems to work without having a security rule for it (destination is directly connected inside a DMZ), while PAN-DB lookups (to the internet) need a security rule. Same for DNS. This is really confusing and inconsistent.

Are there any guidelines or best practices on how to set this up?



L7 Applicator

The general recommendation is to not use a clean-up rule at all. The firewall allows all same-zone traffic by default, and denies all intra-zone traffic. Unless you have a specific requirement to log this traffic, a generic "deny all" policy is not needed.

If you do have that requirement, my recommendation is to make specific policies that exclude same-zone traffic. For example, if you have 3 zones (trust, untrust, dmz) you would make 3 policies:

Src: Trust; Dst: untrust or dmz; Deny

Src: DMZ; dst: untrust or trust; Deny

Src: Untrust; dst: trust or dmz; Deny

This gives you the logging, but prevents the issue you are running into by allowing same-zone traffic. When the firewall makes an outbound connection on a public L3 interface, the source and destination are the same zone and thus your cleanup rule denies it.

Hope this helps,


Thanks Greg, that makes sense. I am going to try that out.

One more question: If it is recommended to not use any cleanup rules at all and you effectively turn off all logging for dropped packets that way, how does this impact reporting and the ACC?

Rule logging doesn't affect ACC data ().

It does, however, affect what shows up under Monitor/Logs.  As far as reporting is concerned, it depends on which database you use.  The summary/statistics databases don't rely on rule logging.  Reports generated from the Detailed databases pull from the same database where the rule logging occurs.  (As a side-note, this is the reason why it takes more time to run a report against the detailed logs - as the reporting engine must parse through each and every applicable log entry.  Reporting from the Summary databases is much quicker, but doesn't have quite as much data as the detailed logs.. ie: src/dst port information, etc.) 


Excellent, thank JV. I think I am going for dedicated cleanup rules in each zone-context to get more details. Thanks!

  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!