06-06-2016 07:28 AM - edited 06-07-2016 05:27 AM
Hi,
I have created a rule to allow ping between to and fro from servers below is the scenario
source zone: A, B, C
Source IP: 1 , 2 , 3
Destination zone: A, B, C
Destination IP: 1, 2, 3
Application: Ping
Service: application-default
action: Allow
But the rule is not triggering, the traffic is denied due to dafault deny...
can anyboady tell me the whats the reason for this?? and how i can resolve it?
Thanks in advance
06-12-2016 09:38 PM
After adding icmp to application it's started working fine.
Thanks for your all support guys.
06-06-2016 07:37 AM
hi,
Reason is that the traffic is not hitting your policy, instead hits your default deny rule.
06-06-2016 08:54 AM
As the policy is Top-down, it will match on the rules in order.
You have created the rule to allow Ping, but the question is where is this rule in the policy?
06-06-2016 11:55 PM
the rule is on the top of default deny but still it's not working.
06-07-2016 12:40 AM
Can you enable logging of your default deny rule (this is not enabled by default).
Can you confirm the zones / IP's when you check the actual drop log ?
Cheers,
-Kim.
06-07-2016 12:43 AM
Yes we have enabled it and i can see it the Zones and ips are correct but still it's not working
06-07-2016 12:50 AM
are you seeing ICMP ping being dropped or UDP?
the AppID application 'ping' is for ICMP echo requests only. if your host is sending out UDP pings, they will not match
06-07-2016 01:10 AM
I can see ICMP IP protocol in the logs.
06-07-2016 01:49 AM
Hi,
Just for test add in the policy application field "ping" and "ICMP" apps and try.
06-07-2016 03:48 AM
Is the server is located behind the firewall and you are trying to ping from outside ? ( nat and security policy needs to be checked )
If that is not the case then it may also happen the new sessions are getting matched with the old discard sessions.
Most likely as me peers mentioned above either the deny policy is above the allow policy or there the zones and the ips needs to be cross checked once again
Tarang
06-07-2016 05:26 AM
Yes i can confirm that the rule is above the default deny and we are allowing ping to and fro from cloud servers to internal servers. There no NAT applied on this.
however i have added ICMP to the rule and waiting for the test
06-12-2016 09:38 PM
After adding icmp to application it's started working fine.
Thanks for your all support guys.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
