Security Policy Application

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Security Policy Application

L2 Linker

Hello everyone,

I'm hoping someone can help me understand why a security policy is not applying the way I thought it should. Here's what I have:

 

I have each of our schools configured on different DHCP scopes. I then created an Address Object using slash notation for each of those DHCP scopes on the PAN. I then created a security policy per address object (per school building) and added the slash-notated address object as the source address. 

 

The question I have is this...shouldn't this security policy apply to EVERY device that grabs an IP address from within the slash-notated network I created and designated as the source address in the security policy no matter if there is a username associated to the device or not?

10 REPLIES 10

Cyber Elite
Cyber Elite

@GCSS-RT 

You'd have to actually post the policy to see what the exact issue is. If you utilize 10.10.0.0/16 for example as a source-address that part of the policy will match 10.10.*.*, however depending on the rest of your policy it doesn't mean that every session would match this policy. 

L4 Transporter

Hi @GCSS-RT ,

 

like @BPry  mentioned, it depends on your policy, as all the column other than action in the security is AND condition, if everything matches only, the security rule will be applied. if your rule is not user based(ie user any), it will hit this policy provided all other AND conditions are also mathed.

L2 Linker

I think I'm following what you guys are saying. The only settings I have in the policy are as follows:

 

Source Tab:

trust source zone

IP range as source address

 

Destination Tab:

untrust destination zone

 

Actions Tab:

Allow action

appropriate profiles applied under the Profile Settings section

 

everything else is set to "any" or the default setting.

 

Does this info help?

Hi @GCSS-RT ,

 

As you have granularity only in IP range, rest set to any/default, all your traffic from those IP travelling through matched zones will hit same policy regardless of user.

Reset the zone settings to any/default?

Hi @GCSS-RT ,

 

Hope it is queries, are you facing any issue?,

The packet flow in PA will be like, 

  • initial packet process, the source ip/user info, then destination zone via PBF/forwarding,
  • Then NAT policy evaluated (not applied)
  • then it checks for security policy

So you need to have source and destination zones anyway.

Hold the boat there @Abdul_Razaq; I wouldn't recommend someone setup a policy that is just going to allow any traffic even for testing purposes as that runs the risk of having very big implications on the rest of their policy base depending on how their firewall is configured. 

@GCSS-RT can you share the actual screenshot, cli output, or XML of the entry that you are having a problem with? If the policy is as you stated I would expect any traffic from your source IP Range to the untrust zone to be allowed per this policy. You'd also want to verify that the traffic you expect to be hitting this rule is being sourced from the trust zone and is actually destined to your untrust zone. 

L2 Linker

Here's the CLI output for this security policy. Let me know what else I can supply that might help.

 

set rulebase security rules "EES Network" from trust
set rulebase security rules "EES Network" to untrust
set rulebase security rules "EES Network" source Network_EES
set rulebase security rules "EES Network" destination any
set rulebase security rules "EES Network" service any
set rulebase security rules "EES Network" application any
set rulebase security rules "EES Network" action allow
set rulebase security rules "EES Network" log-end yes
set rulebase security rules "EES Network" source-user any
set rulebase security rules "EES Network" category any
set rulebase security rules "EES Network" hip-profiles any
set rulebase security rules "EES Network" disabled no
set rulebase security rules "EES Network" log-start yes
set rulebase security rules "EES Network" profile-setting profiles url-filtering EESNetwork-Filtering-Profile
set rulebase security rules "EES Network" profile-setting profiles virus ANTIVIRUS
set rulebase security rules "EES Network" profile-setting profiles spyware SPYWARE
set rulebase security rules "EES Network" profile-setting profiles vulnerability VULNERABILITY

@GCSS-RT ,

So I would fully expect that the capture any traffic from trust to untrust for anything within that Network_ESS object entry with how you've configured the security policy. If it isn't here's what I would look at:

1) Does the address object 'Network_EES' actually match what you are expecting. Sometimes you'll believe that the address object should be 192.168.0.0/16 and the person who entered it may have fat fingered the IP address. 

2) Looking at the logs that don't hit this security policy, verify that the zones listed are what you expect and the traffic isn't taking an unexpected route. 

@GCSS-RT And check in the unified log, if the connections are dropped by one of your Security profiles

Best Regards
Chacko
  • 3417 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!