TCP Port is defined in rule number 32

But Traffic passes on temp any any rule number 38 as service object "tcp-high-ports" 

 

it should pass by rule 32 not 38 already

the blacked parts of the rules are correct, the traffic should go over rule 32. 

The service shown in the log doesn't correspond to anything. The actual log entry only has the port number. SmartConsole then takes that port number and tries to resolve it to an object name to be helpful. You can totally ignore the object name shown there.

In your original post, you mention the port at issue is 15600. The service in the rule you have shared is named 15672, implying it matches that port rather than 15600. Which port are you actually trying to match? Are you sure the service object in the rule matches that port? Ignore the name of the service object and only look at the contents.

yes I wanted to anonymise a little bit but doesnt matter, the point is the same...

what do you mean by the post number?


the port is written in rule 32 but the firewall does not use this rule , but uses the any any rule with this high port range.

source and destination in rule 32 is correct.

If the traffic is not matching an access rule, then one of four things is happening. Either:

1. The source of the traffic is not in the source of the rule
2. The destination of the traffic is not in the destination of the rule
3. The service of the traffic is not in the service of the rule
4. The rule is not on the firewall in question

One of those four items is the cause 99.999% of the time traffic doesn't match an access rule someone expects. Check the values of the objects in the rule, not the names. Make sure the firewall is in the "Install On" column, or that column is set to Policy Targets and the policy's installation targets includes the firewall. Make sure the policy has been pushed.

Valid points, but sometimes even with those conditions, rule might not get matched.

I meant port number, what is the post number in that service?

Andy