Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kim_Moberg
Advisor

Error while using inline layers

Hi CheckMates,

I hope you are able to assist me. I am getting crazy working with inline layers. Therefore I have temporary moved to the classical rules based firewall rules.

Errors I see while using inline layers are shown in the smartevent indexed log.

I have tried to build a fw rule uing inline layers.

id SourceDestinationServices & AppActionTrack
10 OOB-NETWORKOOB-NETWORKanyOOB-internaln/a
10.1 anyAAA-Servers[AAA-Services]ALLOWLOG
10.2 anyayanyDROPLOG
11 ANYOOB-NETWORKanyOOB-incomingn/a
11.1 anyAAA-Server

RDP

ICMP-REQUEST

ALLOWLOG
12 OOB-NETWORLanyanyOOB-Outgoingn/a
12.1      
12.2 anyanyanyDROPLOG

 

When I look into SmartEvent logs 

Sometimes I get a hit on the rule base lets say 10.1 but other time it says 2.1.

I cannot figure out why it atually tells me it touches rules 10.1 and second line in the layer it drops on 2.1? Where comes the rule 2.1 because it doesn't exist.

 

I am running VSEC on VM with R81 take 10 and SMS runs R81 Take 10.

Is it a bug when it writes 2.1 or is it me configuring inline layers wrongly?

 

This one error.

inline error.png

This one is okay.

inline okay.png

  Hope you CheckMates can give me some hints were to look. Expect to contact TAC next week but maybe you guys have an idea of what is going on.

 

Best Regards
Kim
2 Replies
PhoneBoy
Admin
Admin

I’ve seen this happen before and I don’t think it’s a wrong configuration.
What I’m curious about (and maybe @Dan_Zada or others know) is whether the rule number is “calculated” when shown or stored with the log. 
A TAC case is definitely in order.

Kim_Moberg
Advisor

Hi Dameon 

I have created a TAC case and I have already collected logs and db export and uploaded to TAC so they could play with the rules,

Best Regards
Kim
0 Kudos