Locally managed.

It's a classical network setup, LAN to WAN (IPv4 public IP directly on the FW) and S2S/RA blades. S2S keeps working, outbound traffic works, inbound RA doesn't as well as inbound DMZ.

Each time in the logs of the firewall, as well as the CLI debug, all incoming traffic except S2S is dropped by Blocked by implied rule 0. Since I can't open an SR in the short term because of the renewal process, I'm thinking of factory default the appliance since everything else has been checked but all incoming traffic except S2S. 

The closest I found was sk168516 but the scenario is different, it's R81.10.05 and not R80.20.X and the incoming traffic isn't blocked by the cleanup but by the implied rule.

The CLI debugs aren't usually that brief - implied rule 0 could be anti-spoofing but equally other things for which there are generally hints in the output.

I don't get much more than that, the line repeats for any incoming traffic.

@;2933810;[cpu_9];[fw4_9];fw_log_drop_ex: Packet proto=6 <SRC IP>:57302 -> <PUBLIC FW IP>:80 dropped by fw_send_log_drop Reason: Rulebase drop - rule 0 (Internal);

Thanks Chris, for some reasons every single object was present in that group even though the customer told me they never modified that group. On top of that, debugs don't point to the group as a cause of blocked traffic and its content doesn't appear under the blocked items list.

In any case, the issue is solved.

Good job! @Chris_Atkinson to the rescue 🙌. Im so glad @PhoneBoy provided me info on how to set up quick SMB spark demo thats good for 4 hours, so I also learned lots about some features of those appliances I never knew existed.

Thanks again everyone!

Glad it's resolved.

My next thought (specifically if 80/443 were the predominant affected services) was going to be to check if there was a NAT conflict with the Web UI or VPN visitor mode device "Advanced' settings e.g.

VPN Remote Access - Remote Access port

VPN Remote Access - Reserve port 443 for port forwarding

Traffic targeting the gateway external IP is a special case in some instances further to the above. See also: sk165937 / sk105740 / sk65028

The NAT is done by policy and not server objects as the DMZ entries are custom ports, the policy is in Strict mode. The fact that S2S still works but not RA/Incoming NAT after a year points to internal FW logic from my point of view, but debugs and logs don't give anymore information than this rule 0.

@Chris_Atkinson There were a couple of reported infected hosts which have been blocked, taken offline then removed from the list. In any case, they were inside and not outside. Inside traffic to outside works without issue.

@the_rock I wonder if you might be onto something. I saw that post during my search for a solution but the SK referred to older releases and hardware. Now I remember there were a few issues with the FTW out of the box (R80.20.05 if I remember correctly), it finally went through and then I'd upgrade the FW. Maybe a recent change triggered that behaviour. At that point and still unable to open an SR for that account, that might be my last option before a factory reset.

By any chance you can temporary change the firewall policy mode back to [Standard] to see if the issue resolves?
If so, you may need to involve TAC regarding the behavior with strict mode. Btw, I think we had a similar case on 700s in the past using strict mode...

I think what @Chris_Atkinson was referring to is below. I honestly dont think this needs factory reset, its probably some minor setting we are missing here.

Andy

Opening SR# with TAC should not be an issue !