02-25-2019 12:33 PM
Hello everyone,
I'm hoping someone can help me understand why a security policy is not applying the way I thought it should. Here's what I have:
I have each of our schools configured on different DHCP scopes. I then created an Address Object using slash notation for each of those DHCP scopes on the PAN. I then created a security policy per address object (per school building) and added the slash-notated address object as the source address.
The question I have is this...shouldn't this security policy apply to EVERY device that grabs an IP address from within the slash-notated network I created and designated as the source address in the security policy no matter if there is a username associated to the device or not?
02-25-2019 05:58 PM
You'd have to actually post the policy to see what the exact issue is. If you utilize 10.10.0.0/16 for example as a source-address that part of the policy will match 10.10.*.*, however depending on the rest of your policy it doesn't mean that every session would match this policy.
02-25-2019 11:11 PM
Hi @GCSS-RT ,
like @BPry mentioned, it depends on your policy, as all the column other than action in the security is AND condition, if everything matches only, the security rule will be applied. if your rule is not user based(ie user any), it will hit this policy provided all other AND conditions are also mathed.
02-26-2019 04:49 AM
I think I'm following what you guys are saying. The only settings I have in the policy are as follows:
Source Tab:
trust source zone
IP range as source address
Destination Tab:
untrust destination zone
Actions Tab:
Allow action
appropriate profiles applied under the Profile Settings section
everything else is set to "any" or the default setting.
Does this info help?
02-26-2019 04:56 AM - edited 02-26-2019 05:00 AM
Hi @GCSS-RT ,
As you have granularity only in IP range, rest set to any/default, all your traffic from those IP travelling through matched zones will hit same policy regardless of user.
02-26-2019 04:58 AM
Reset the zone settings to any/default?
02-26-2019 05:04 AM
Hi @GCSS-RT ,
Hope it is queries, are you facing any issue?,
The packet flow in PA will be like,
So you need to have source and destination zones anyway.
02-26-2019 06:00 AM
Hold the boat there @Abdul_Razaq; I wouldn't recommend someone setup a policy that is just going to allow any traffic even for testing purposes as that runs the risk of having very big implications on the rest of their policy base depending on how their firewall is configured.
@GCSS-RT can you share the actual screenshot, cli output, or XML of the entry that you are having a problem with? If the policy is as you stated I would expect any traffic from your source IP Range to the untrust zone to be allowed per this policy. You'd also want to verify that the traffic you expect to be hitting this rule is being sourced from the trust zone and is actually destined to your untrust zone.
02-26-2019 06:44 AM
Here's the CLI output for this security policy. Let me know what else I can supply that might help.
set rulebase security rules "EES Network" from trust
set rulebase security rules "EES Network" to untrust
set rulebase security rules "EES Network" source Network_EES
set rulebase security rules "EES Network" destination any
set rulebase security rules "EES Network" service any
set rulebase security rules "EES Network" application any
set rulebase security rules "EES Network" action allow
set rulebase security rules "EES Network" log-end yes
set rulebase security rules "EES Network" source-user any
set rulebase security rules "EES Network" category any
set rulebase security rules "EES Network" hip-profiles any
set rulebase security rules "EES Network" disabled no
set rulebase security rules "EES Network" log-start yes
set rulebase security rules "EES Network" profile-setting profiles url-filtering EESNetwork-Filtering-Profile
set rulebase security rules "EES Network" profile-setting profiles virus ANTIVIRUS
set rulebase security rules "EES Network" profile-setting profiles spyware SPYWARE
set rulebase security rules "EES Network" profile-setting profiles vulnerability VULNERABILITY
02-26-2019 06:49 AM
@GCSS-RT ,
So I would fully expect that the capture any traffic from trust to untrust for anything within that Network_ESS object entry with how you've configured the security policy. If it isn't here's what I would look at:
1) Does the address object 'Network_EES' actually match what you are expecting. Sometimes you'll believe that the address object should be 192.168.0.0/16 and the person who entered it may have fat fingered the IP address.
2) Looking at the logs that don't hit this security policy, verify that the zones listed are what you expect and the traffic isn't taking an unexpected route.
02-26-2019 06:53 AM
@GCSS-RT And check in the unified log, if the connections are dropped by one of your Security profiles
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
