We have created interzone rule looks like below
<member>A</member> <member>B</member> <member>c</member>
the rule is triggering perfectly but it's showing aged out and in application field it showing insufficient-data custumer saying he is not getting respone can anyboady help how to solve this??
and i have checked ping from FW CLI to detination in above rule it's successfull and getting response but still in firewall it's showing aged out????? is this someting PAN needs to worry about??
To make the rule truly interzone you'd need to set the type to interzone also:
The rule itself looks ok, but the behavior you're reporting sounds like there might be a network issue. if you look into the details of the traffic logs, can you see packets reported in both directions ?
insufficient data is usually reported when there is asymmetric flow which ping will not report as request and reply are independent, but will impact TCP severely
You can set up packetcaptures to make sure packets are going out and being received as expected. Some more details like traffic log and a topology could be helpful too
Hi thanks for the response,
yeah we have included that interzone rule but forgot to mention here.
we checked PCAP also but found that no response and traffic details also bytes received is showing 0.
if packets are leaving the firewall as expected but none are returning, the next step is to go check at the remote end if packets are being received properly and where the reply is going
is the source IP part of a NAT policy, does the host have a route for it, does the next hop router have proper routing for it etc
You can perform PCAPs on the firewall in 4 different stages :
The transmit stage is what the firewall sends out.
Check the following article on how to configure PCAPs :
Hope it helps,
a good indication is if the traffic log contains a 'packet sent' count. you should be able to use thelog details to ascertain if NAT is being applied by looking at the 'NAT Source IP' column
for some more info regarding packetcaptures (these will also help identify 'sent' and 'received' packets), please check out this article: Getting Started: Packet Capture
the SYN packet goes out and then an ACK needs to come back, if the ACK is never returned the session will timeout waiting for reply
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!