I have a new policy that I pushed yesterday that was a total failure and any help you can offer would be appreciated.
We have a policy that looks like this:
Source <Internal IP addresses>
Destination <Negate Region US>
Application <unknown-tcp, unknown-udp>
However, it is catching and DENYing all unknown-tcp and unknown-udp regardless of Destination Country. We have some internal applications used by our customers that this blocks as I haven't been able to classify all applications we use in house as of yet.
This logic seems like it should be working, am I doing something wrong?
Honestly it's frustrating to even make suggestions here because you won't even just try some of the suggestions. Do the 'show location ip' command and let us see what the PA thinks the destination country is. Try tossing in the "policy sprawl" rule just to see if it works.
If you won't at least just try some things to see if they make a difference or reveal the problem, then there's no point in asking for help, right?
If it is internal space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) it will not be seen as the United States. The location is seen as "Reserved", as seen by the command given by egearhart.
If the destination address is an IPv6 address, it may not yet be supported.
When you look at the traffic logs for that traffic, how many packets are seen in the c2s and s2c flows? You can also check the session id (CLI command: show session id 123456) that is present in the logs to see what application it is identified as and which rule it is hitting.
Hope this helps,
I apologize as apparently I was not being clear enough.
In the traffic logs, this rule is blocking ALL unknown-tcp and udp traffic, even the traffic that has a Destination Country of US.
Here is my rule with the non-public bits removed in set notation. It is in our security post-rules for our Internet traffic.
"Block unknown to non-US" from any
"Block unknown to non-US" to any
"Block unknown to non-US" source "<Internal Private Address Space>"
"Block unknown to non-US" destination US
"Block unknown to non-US" source-user any
"Block unknown to non-US" category any
"Block unknown to non-US" application unknown-tcp
"Block unknown to non-US" application unknown-udp
"Block unknown to non-US" service any
"Block unknown to non-US" hip-profiles any
"Block unknown to non-US" negate-source no
"Block unknown to non-US" negate-destination yes
"Block unknown to non-US" action deny
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!