12-07-2023 12:54 AM
Hi Team,
I just need an advise.
I have this setup as attached but I have this mystery that's been bugging me for days now. There is only one subnet which cannot access my internal resource.
I ran the filter and global counter and there are specific counters I noticed.
Can someone enlighten me on this?
Regards,
Renz
12-07-2023 01:19 AM
Hi @renzanjo11 ,
You might be experiencing this issue:
Packets Dropped: Forwarded to a Different Zone
Hope this helps,
-Kim.
12-07-2023 04:05 AM
you need to check on the monitor traffic logs and which policy it is hitting most probably its not hitting the correct policy.
12-08-2023 12:14 AM
Hi everyone!
Thank you very much for all of the suggestions.
I am pretty sure it's hitting the correct policy and NAT rules. I tried clearing the sessions but still no good.
I'm really confused what here I am doing wrong. I am so used to NAT and policies but this time I'm dropping.
I can give you a glimpse of the logs I got.
Regards,
Renz
12-08-2023 12:30 AM - edited 12-08-2023 01:13 AM
from the traffic logs you can see the application is incomplete, please take a packet capture from the monitor tab and when you initiate the traffic run the below command(run this command 3-5 times):
filter should be source: 111.223.89.115 dst: 116.12.174.226 and vice versa
show counter global filter packet-filter yes delta yes
from this command you check what firewall is doing to the traffic
12-08-2023 02:20 AM
@msyeedrafiqi Hi !
Thank you very much!
I am just curious, shouldn't I use the translated server address? Or for this case I should ignore it first?
Regards,
Renz
12-08-2023 02:34 AM
You are correct. the correct filter would be your private client ip and public destination IP
2- your natted Ip and the destination IP
3- destination IP and private IP
4- Destination - your public IP
12-08-2023 07:35 AM
Hi @msyeedrafiqi ,
Are these packet filter indexes?
2- your natted Ip and the destination IP
3- destination IP and private IP
4- Destination - your public IP
Regards,
Renz
12-08-2023 08:05 AM - edited 12-08-2023 08:05 AM
On the firewall packet capture we can only have 4 max filters.
The first filter would be Private Ip and Destination IP
Second would be vice versa
Third would be Natted IP and Destination IP
Fourth Vice versa
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
