Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Muazzam
Contributor
Contributor

No change in firewall policy upon re-ordering NAT rules.

Hardware: 23500
Version: R81.10 Take 66 (both Gateway and Mgmt)

Summary: NAT rules were re-ordered. There was a hide NAT rule that is moved under 4 static NAT rules. No other changes made to the policy. Publish and push the policy. Found out that the firewall is using the old order of NAT rules. FW stat shows the correct time of policy push that was completed without any errors or warnings. The "rules.C' was showing the last modified date of the previous install not the last install (after re-ordering). Note that all ojects used in all the related NAT rules are local objects, not Global.

It was decided to disable all the relevant static and hide NAT rules (total of 5 rules), re-create the new rules above the disabled rules. After the policy is pushed, the correct order of rules took place and the rules.C file shows the last modified date.

Question is - why in first place a new policy not compiled or what causes where the new set of rules were ignored. Does the rule re-ordering warrant a new policy? Anyone else has similar experience, please share.

 

0 Kudos
4 Replies
Lloyd_Braun
Collaborator

Are you sure that a new connection was established after the NAT policy was updated?  I had a NAT rule that seemed 'stuck' when I changed the NAT on a GRE connection.  Ended up having to 'fw tab -x' delete it from the fw connections table to get the connection to match the updated NAT rule. 

0 Kudos
Muazzam
Contributor
Contributor

Yes, we have a new traffic that uses the old set of rules.

Also, on the first re-order of NAT rules (where we have no update to policy), we searched some of the NAT rules UID's and they were not found in the "rules.C" file. After the second change (disable and re-create) the rules.C file get updated and I see all the new UID's in the file.

 

the_rock
Legend
Legend

Sounds like it might be worth a TAC case.

Andy

0 Kudos
Muazzam
Contributor
Contributor

TAC case already opened and under investigation. I was wondering if anyone has the same experience.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events