cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Hi @ccortijo ,

Regarding the DMZ server - although connection to the server seems to be working, in my humble there is room for improvement:

- It seems your DMZ server security is now using "application-default" as matching service. Unfortunately this will cause issues in your particular case. App-default means FW, will allow connection only if the applicaiton it is detecting correspond to the tcp port that is being used. From the logs it we can see that FW is identifying traffic as "ssl", that is becaue you are using HTTPS, without performing ssl decryption on the firewall. "ssl" application default port is 443, but you are using 8080. For that reason traffic is not matching your DMZ server rule, but it seems to be falling back to the "intrazone-default" rule, which by default is blockin any any. But apperantly you have change it to allow any any.

 

My recommendation - set port to tcp/8080 with application "any" for your DMZ security rule. Obeserve the logs for one or two days and see what applications are detected over this rule. Then you can switch from "any" app to specify only apps that you see in the logs. Keep tcp/8080 for the service.

 

- Regarding the GP - From traffic logs for port 7000 you can see that firewall is trying to send the traffic to dest zone DMZ. Which means correct NAT rule is not being applied. This is confirmed by the lack of increasing hit counter on the NAT rule. For me the GP NAT rule seems correct and it should work, my only guess is that you have typo for service object "port-7000", can you edit the object and confirm it is using tcp and dst port 7000? Can you share service object config?

Who rated this post