- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-17-2020 03:59 AM
I have 2 outside interfaces configured with the below IP’s.
When I try from HE zone , it should go through HE zone but it is going to untrust zone and getting deny
I mean
ISP 1 connected interface 1/3 with default route o.o.o.o of metric 5
ISP 2 Connected interface 1/2 with default route o.o.o.o metric 11
From ISP 1 interface 1/3 is pinging to 4.2.2.2 and we able to see the traffic log which allowed by intra-zone policy.
From ISP 2 interface 1/2 is not pinging to 4.2.2.2 and getting denied by Inter zone policy.
Its possible to ping from 1/2 interface itself toward Internet.
06-17-2020 03:01 PM
So some things to keep in mind:
1) The firewall is routing your traffic as you've specified with your routes. ISP1 has the lowest metric and is always going to be selected unless you utilize path-monitoring on the route so the route can be removed from the RIB and FIB, which would make your secondary route take over. This is why you are seeing the traffic as you are, the traffic is going to utilize ISP1.
2) IF you are using PBF to attempt to route some of the traffic through ISP2, traffic has to ingress a firewall interface to be evaluated for PBF. Traffic sourced directly from the firewall isn't going to hit any PBF you have configured. So while a PBF for traffic routing will work for clients behind the firewall, it won't work for anything terminating on the firewall itself or sourced from the firewall itself.
06-17-2020 02:15 PM
Sounds like you don't have a security rulebase entry that actually allows the traffic; you'll still need to allow the traffic.
06-17-2020 02:29 PM
Yes. there is no ruleset...
The interface 1/2 and 1/3 has a default route 0.0.0.0 /0 with different metric value to their respective ISP's next hope.
Interface 1/2 attached to the HE security zone and Interface 1/3 attached to the Untrust zone.
Default route of Interface 1/2 metric value 11 and Interface 1/3 metric value 5.
but when interface 1/3 untrust zone reaches the internet with his own interface and interface 1/2 HE zone tries to reach internet it goes with untrust interface...
so I am looking for anything y to do that it can reach the internet with his own interface...
06-17-2020 03:01 PM
So some things to keep in mind:
1) The firewall is routing your traffic as you've specified with your routes. ISP1 has the lowest metric and is always going to be selected unless you utilize path-monitoring on the route so the route can be removed from the RIB and FIB, which would make your secondary route take over. This is why you are seeing the traffic as you are, the traffic is going to utilize ISP1.
2) IF you are using PBF to attempt to route some of the traffic through ISP2, traffic has to ingress a firewall interface to be evaluated for PBF. Traffic sourced directly from the firewall isn't going to hit any PBF you have configured. So while a PBF for traffic routing will work for clients behind the firewall, it won't work for anything terminating on the firewall itself or sourced from the firewall itself.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!