topic Re: Policy Rule does not work in General Topics

Policy Rule does not work

Roadrunner88 — Wed, 05 Jun 2024 05:24:56 GMT

Hello,

we have a Policy with a Rule allowing traffic to single TCP port: 15672

This rule does not work, I suppose because we have er Service object, TCP-High-Ports (Includes Port range 1024 - 65535), this is shown in the log. So the Policy does not use the Selected TCP Port 15672 but uses this object, which isnt defined in this dedicated rule anbd the traffic is dropped.

How can we fix this?

Re: Policy Rule does not work

G_W_Albrecht — Tue, 04 Jun 2024 12:44:43 GMT

I can neither see the rule nor your rule base - so better open an SR# with CP TAC to get this resolved !

Re: Policy Rule does not work

Roadrunner88 — Tue, 04 Jun 2024 12:57:48 GMT

TCP Port is defined in rule number 32

But Traffic passes on temp any any rule number 38 as service object "tcp-high-ports"

it should pass by rule 32 not 38 already

the blacked parts of the rules are correct, the traffic should go over rule 32.

Re: Policy Rule does not work

Bob_Zimmerman — Tue, 04 Jun 2024 14:24:08 GMT

The service shown in the log doesn't correspond to anything. The actual log entry only has the port number. SmartConsole then takes that port number and tries to resolve it to an object name to be helpful. You can totally ignore the object name shown there.

In your original post, you mention the port at issue is 15600. The service in the rule you have shared is named 15672, implying it matches that port rather than 15600. Which port are you actually trying to match? Are you sure the service object in the rule matches that port? Ignore the name of the service object and only look at the contents.

Re: Policy Rule does not work

the_rock — Tue, 04 Jun 2024 14:34:11 GMT

In your screenshot @Roadrunner88 , it shows name as tcp 15672, NOT 15000, unless you are trying to trick us with the name 🙂

Can you verify what is the actual post number?

Andy

Re: Policy Rule does not work

Roadrunner88 — Wed, 05 Jun 2024 05:28:02 GMT

yes I wanted to anonymise a little bit but doesnt matter, the point is the same...

what do you mean by the post number?

the port is written in rule 32 but the firewall does not use this rule , but uses the any any rule with this high port range.

source and destination in rule 32 is correct.

Re: Policy Rule does not work

Bob_Zimmerman — Wed, 05 Jun 2024 14:01:50 GMT

If the traffic is not matching an access rule, then one of four things is happening. Either:

The source of the traffic is not in the source of the rule
The destination of the traffic is not in the destination of the rule
The service of the traffic is not in the service of the rule
The rule is not on the firewall in question

One of those four items is the cause 99.999% of the time traffic doesn't match an access rule someone expects. Check the values of the objects in the rule, not the names. Make sure the firewall is in the "Install On" column, or that column is set to Policy Targets and the policy's installation targets includes the firewall. Make sure the policy has been pushed.

Re: Policy Rule does not work

the_rock — Wed, 05 Jun 2024 14:03:06 GMT

I meant port number, what is the post number in that service?

Andy

Re: Policy Rule does not work

the_rock — Wed, 05 Jun 2024 14:03:31 GMT

Valid points, but sometimes even with those conditions, rule might not get matched.