Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin_S_1
Participant
Jump to solution

firewall policy rule that specifies a VPN community

If a firewall policy contains a rule that specifies a VPN community that it is not a participating gateway of, does this mean that the rule is redundant? Does it mean that the rule will be ignored even if there is matching traffic you expect to get processed by the rule.

1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Yes the rule will be ignored.  When anything other than "Any" is placed in the VPN column it adds an additional matching criteria.  Based on the VPN Domains or IP routing into a VTI, in addition to matching the Source/Dest/Service fields, the traffic must be encrypting into a tunnel of that community or decrypting from a tunnel of that community.  Traffic going in the clear or going in/out of a different community based on VPN Domains/VTI routing will not match that rule, even if all other rule fields such as Source/Dest/Service are a match. 

This condition does not cause a policy verification or validation error.  It is a common misconception that the VPN column is used to define what traffic is "interesting" to a VPN in regards to encryption which is not correct, the VPN Domains/VTI routing process does that.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"

View solution in original post

4 Replies
the_rock
Legend
Legend

Can you share a screenshot/example of what exactly you are referring to?

0 Kudos
Martin_S_1
Participant

I can't share a screenshot, but what I'm saying is that, I have a firewall rule that is not getting any hits despite having the source IP, destination IP and service actually being a match. Instead of hitting this rule which has been created to allow this traffic, the traffic is missing this rule and is instead hitting the clean-up rule at the very bottom of the rule base, and I didn't know why. The rule in question was not created by me, and it has been configured with a particular VPN community inside the VPN field of the rule. However, the thing is, what I've noticed is that the firewall this policy is for is not a part of the VPN community specified in the VPN field of the rule, and I believe the rule that is not getting hit is because this firewall is not a participating gateway of this VPN community, the same VPN community listed in the rule.

0 Kudos
the_rock
Legend
Legend

I think I get it now, makes sense. Yes, I believe what you assumed is indeed correct. IF the firewall is NOT part of that vpn community, rule wont be hit and if there are no other matches, either it will hit explicit clean up rule at end of inline layer (if one exists) OR it will hit implicit clan up rule at the very bottom. If you can remove the vpn community from that column, chances are the rule will most likely be hit.

Andy

0 Kudos
Timothy_Hall
Champion
Champion

Yes the rule will be ignored.  When anything other than "Any" is placed in the VPN column it adds an additional matching criteria.  Based on the VPN Domains or IP routing into a VTI, in addition to matching the Source/Dest/Service fields, the traffic must be encrypting into a tunnel of that community or decrypting from a tunnel of that community.  Traffic going in the clear or going in/out of a different community based on VPN Domains/VTI routing will not match that rule, even if all other rule fields such as Source/Dest/Service are a match. 

This condition does not cause a policy verification or validation error.  It is a common misconception that the VPN column is used to define what traffic is "interesting" to a VPN in regards to encryption which is not correct, the VPN Domains/VTI routing process does that.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"