Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Arne_Boettger
Collaborator
Jump to solution

Mapping Rule numbers from R80.20 to fwaccel stat output

Hello,

we have VSX Gateways with R77.30 managed by R80.20. On one VS, acceleration is disabled according to fwaccel stat.

Accelerator Status : on
Accept Templates   : disabled by Firewall
                     disabled from rule #112
Drop Templates     : enabled
NAT Templates      : disabled by user

However, we see no reason for this in rule 1.112, and even moved this rule. The status did not change, neither did the rule number diabling acceleration. We found sk62323, and the note regarding R80 to add/substract one from the rule number. But the surrounding rules also dont look like they could disable acceleration.

How can we map the Rule number from R80.20 Policy to the gateway?

Regards, Arne

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I believe you’ll find the relevant files in the backward compatibility directories for R77 (not in $FWDIR/conf).

View solution in original post

0 Kudos
6 Replies
Danny
Champion Champion
Champion

To understand, which rule exactly prevents SecureXL from creating Accept Templates:

  1. Open the policy files on Security Management Server / Domain Management Server:

    • $FWDIR/conf/<Security_Policy_Name>.pf
    • $FWDIR/conf/<Security_Policy_Name>.set
  2. Search for '(rule-N', where N is the rule number in the output of 'fwaccel stat'.

  3. Note the 'name' of the calculated rule within policy files.

  4. Search for 'name' within your SmartConsole rulebase (might be a completely different number to the calculated number within the policy files).
0 Kudos
Arne_Boettger
Collaborator

Hello,

 

there is no $FWDIR/conf/<Security_Policy_Name>.pf File. And the $FWDIR/conf/<Security_Policy_Name>.set was not updated since we upgraded the MDS from R77.30 to R80.20:

-rw-rw-r-- 1 admin root   15528060 Nov 28 12:36 Standard.set

So I guess Policy Compliation changed significantly with R80, not leaving this file any more.

Any other hints or ideas?

0 Kudos
Danny
Champion Champion
Champion

Try $FWDIR/state/local/FW1/local.rule

0 Kudos
PhoneBoy
Admin
Admin

I believe you’ll find the relevant files in the backward compatibility directories for R77 (not in $FWDIR/conf).

0 Kudos
Arne_Boettger
Collaborator

Thank you for the reminder. We did indeed find the file under $R77CMPDIR of the CMA, found that rule #112 was indeed rule #1.112. And seeing the full rule, I realized I had hidden the "time" column in my SmartConsole.

There was a time object limiting validity, and removing this re-enabled acceleration.

0 Kudos
Danny
Champion Champion
Champion

I'm glad we could help you.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events