Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Roy_Smith
Collaborator
Jump to solution

implied rules getting hit and dropping traffic

Hi

Started migrating vlans from an internal Cisco ASA to a new VSX cluster. I am now getting some intermittent reports of applications or servers not connecting as expected. When I look through the logs, I see lots of drops related to an implied rule. This is hit by different sources and destinations and different ports. 

After following sk110218, I am able to see the implied rule name, which is "Implied Rule - enforce_net_quota". The name of this rul seems to indicate I'm hitting some sort of limit but not sure what.

Can anyone tell me what enforce_net_quota refers to please?

Many Thanks
Roy

0 Kudos
2 Solutions

Accepted Solutions
Danny
Champion Champion
Champion

Try turning off Network Quota and verify if this helps.

View solution in original post

PhoneBoy
Admin
Admin

This is definitely the Network Quota protection, which is inactive by default.
You can do one of two things:

  • Disable it by going to Security Policies > Inspection Settings and setting it to Inactive for the relevant profile
  • Create an exception for the relevant traffic in the protection

Changing this setting requires pushing the Access Policy (not Threat Prevention) since this is a Core Protection handled by the firewall (not IPS).

View solution in original post

5 Replies
Danny
Champion Champion
Champion

Try turning off Network Quota and verify if this helps.

the_rock
Legend
Legend

Can you send screencap of it if possible? I checked sk you mentioned, but does not sadly seem too useful here. I also saw what @Danny suggested, but cant find that protection even in my R81.20 lab with updated IPS.

Searching CP support site, cant find much on it, so might be worth if you do zdebug to verify if you get exact same messages. We might be able to figure out from those drops if there is indeed actual IPS protection causing an issue.

Andy

0 Kudos
PhoneBoy
Admin
Admin

This is definitely the Network Quota protection, which is inactive by default.
You can do one of two things:

  • Disable it by going to Security Policies > Inspection Settings and setting it to Inactive for the relevant profile
  • Create an exception for the relevant traffic in the protection

Changing this setting requires pushing the Access Policy (not Threat Prevention) since this is a Core Protection handled by the firewall (not IPS).

the_rock
Legend
Legend

Ah, inspection setting, thats why I could not find it...duh, silly me. Anyway, let us know @Roy_Smith if what phoneboy suggested works.

0 Kudos
Roy_Smith
Collaborator

Guys

It was the Network Quota in Inspections Settings that was being referred to. I set it back to inactive and that solved the issue. 

Thanks for the help

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events