Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

App policy set to block but traffic is being allowed on security policy

I have an application policy in place on the firewall which blocks access to several high risk categories (i.e. Suspicious Content).  However, the security policy is taking precedence and the traffic is being allowed.  We are on 80.20

0 Kudos
3 Replies
Highlighted
Admin
Admin

We need to see the exact rules in question, their relation to each other in the policy, and the exact site(s) triggering this behavior.
0 Kudos
Highlighted
Ivory

Will this work?  

Here is the initial block from the web filter:

Id: 0a03052e-761f-0000-5dfa-866c00000000
Marker: @A@@B@1576696140@C@6490869
Log Server Origin: 10.2.12.50
Time: 2019-12-18T20:05:00Z
Id Generated By Indexer:false
First: false
Sequencenum: 75
Hll Key: 13894217393124229218
Duration: 300
Last Update Time: 2019-12-18T20:05:04Z
Update Count: 3
Creation Time: 2019-12-18T20:05:00Z
Connections: 4
Aggregated Log Count: 8
Source: 10.3.47.158
Destination: 23.221.9.238
Destination Port: 443
IP Protocol: 6
Protocol: HTTPS
Sig Id: 7
Service ID: cp_tcp_A936BBAC_EBC3_4F18_B3CC_A63365F07477
Source Zone: Internal
Destination Zone: External
Application ID: 3100820741
Packets: 60
Total Bytes: 2224
Client Inbound Packets: 12
Client Outbound Packets:48
Server Inbound Packets: 24
Server Outbound Packets:40
Client Inbound Bytes: 1216
Client Outbound Bytes: 1008
Server Inbound Bytes: 23232
Server Outbound Bytes: 1856
Last Update Time: 2019-12-18T20:10:00Z
Action: Reject
Type: Session
Policy Name: GX-FW01_Policy
Db Tag: {167C80ED-A097-A844-B4C9-AA543627EBB6}
Policy Date: 2019-12-03T15:48:12Z
Blade: URL Filtering
Origin: GX-FW01
Service: TCP/443
Product Family: Access
Sent Bytes: 1856
Received Bytes: 1008
Logid: 352
Application Name: voicefive.com
Primary Category: Suspicious Content
Matched Category: Suspicious Content
Additional Categories: Suspicious Content,Computers / Internet,High Risk,URL Filtering
Application Risk: High
Browse Time: 0
Access Rule Name: GX Block Suspicious URLs
Access Rule Number: 5
Policy Rule UID: ee18b6ff-fe05-419d-80ce-79e4470cd4c5
Layer Name: GX-FW01_Policy Application
Description: https Traffic Rejected from 10.3.47.158 to voicefive.com(23.221.9.238)
Bytes (sent\received): 2.2 KB (1.8 KB \ 1008 B)

 

And the subsequent allow from the FW/Security policy:

Id: 0a03052e-0000-00c0-5dfa-866b0000011a
Marker: @A@@B@1576696140@C@5935447
Log Server Origin: 10.2.12.50
Time: 2019-12-18T20:05:04Z
Id Generated By Indexer: false
First: false
Sequencenum: 326
Source Zone: Internal
Destination Zone: External
Service ID: https
Source: 10.3.47.158
Source Port: 60733
Destination: 23.221.9.238
Destination Port: 443
IP Protocol: 6
Xlate (NAT) Source IP: 162.247.248.249
Xlate (NAT) Source Port: 15083
Xlate (NAT) Destination Port:0
NAT Rule Number: 132
NAT Additional Rule Number: 1
Start Time: 2019-12-18T20:04:59Z
Segment Time: 2019-12-18T20:04:59Z
Elapsed: 00:00:01
Packets: 8
Total Bytes: 264
Client Inbound Packets: 4
Client Outbound Packets: 4
Server Inbound Packets: 2
Server Outbound Packets: 8
Client Inbound Bytes: 172
Client Outbound Bytes: 92
Server Inbound Bytes: 92
Server Outbound Bytes: 172
Pos: 7
Nsons: 0
P Dport: 0
Context Num: 4294967295
Last Update Time: 2019-12-18T20:05:04Z
Action: Accept
Type: Connection
Policy Name: GX-FW01_Policy
Db Tag: {167C80ED-A097-A844-B4C9-AA543627EBB6}
Policy Date: 2019-12-03T15:48:12Z
Blade: Firewall
Origin: GX-FW01
Service: TCP/443
Product Family: Access
Sent Bytes: 172
Received Bytes: 92
Logid: 6
Access Rule Name: Outbound User Access from GX
Access Rule Number: 97
Policy Rule UID: 1550c842-1faa-472a-b5e6-89de8299e395
Layer Name: GX-FW01_Policy Security
Description: https Traffic Accepted from 10.3.47.158 to 23.221.9.238
Bytes (sent\received): 264 B (172 B \ 92 B)

0 Kudos
Highlighted
Admin
Admin

This tells me what the rule numbers are and that the one accepting the traffic is after the one that blocks it.
It doesn't tell me what the contents of the actual rules are.
I suspect you'll need to take a capture of the relevant traffic and open a TAC case.
0 Kudos