For details on cookie usage on our site, read our Privacy Policy
Random denial
- LIVEcommunity
- Discussions
- General Topics
- Random denial
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-02-2015 07:33 AM
What would cause traffic that is allowed through one rule to be denied by a rule below it. Shouldn't it just go through the rule allowing it and not even go any further.
Odder even still is that traffic is not always denied sometimes it does pass through the rule it is allowed.
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-02-2015 01:34 PM - edited 09-02-2015 01:35 PM
Hi,
denied one is UDP to 146 and also from port 8070 to port 8070 while allowed one is to different IP and from different port and it is TCP, last but not the least (why?) on the denied one there is no destination interface (are you missing the route for this IP address from the firewall?)
So, check your custom service8070 does it include both udp and tcp ports, and check if you can ping that IP address from the IP that is on the ethernet1/15.237 (ping source _ip_from_1/15.237_ host 136.176.237.146) or do "show routing route" to check routes to that ip....
Rgds
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-02-2015 10:18 AM - edited 09-02-2015 10:20 AM
Hi Jprovine,
In my experience so far, such things will happen most often when there is a change to AppID or less often when there is an issue with UserID. Does your traffic suddenly change to other policy or it sometimes misses expected policy? Can you share details of what is evaluated in the policy? If your first policy that is missed sometimes is set for "any" app, could it be that you have UserID active and your users sometimes come from wired sometimes from wireless network, and one of them doesn't have UserID mapping?
If you'd describe policy that is missed (what are you evaluating) it'd be easier to guess...
Best regards
Luciano
p.s. sorry for coming off so wrong in the other thread, that was certainly not my intention, I didn't re-read what I wrote and adjust my tone once I typed out the response. Apologies for that.
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-02-2015 11:29 AM
Apology accepted, let me gather some details for you and some screenshots
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-02-2015 12:05 PM
I have attached the following
The first pic shows that tcp8070 is being denying access fomr 192.152.126 to 136.175.237.201
The second pic show the rule that allows that same traffic
- Mark as New
- Subscribe to RSS Feed
- Permalink
09-02-2015 12:14 PM
Hi,
I think you uploaded the same allow pic twice, it is the same timestamps and session ID. Also, I would rather see the sec. policy that does not match sometimes, and just crop around it, no need for the rest of the screen. Maybe remove previous pics as they show some info on your network and we don't need them here for the troubleshooting 🙂
Rgds.
- Not recognizing standard ports like smtp. Instead showing as Not-Applicable and blocking in General Topics
- GPVPN on laptop only works with phone hotspot and not home wifi in GlobalProtect Discussions
- Configuration / Rule Set Scheduled Export for SOC2 / ISO27001 Audits? in General Topics
- Panorama Scheduled CSV Report Missing Data in Panorama Discussions
- Inactivity logout on missing HIP check after Windows update in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
