Gateways are running R81.10 with Jumbo 7x-something.
I have a setup with some very old and legacy H.323 devices, that stops working, if the word 'inspection' is even mentioned.
So the rule allowing the H.323 server access to the clients just allows tcp-high-ports, like this.
Everything works, and traffic on e.g. port 1720 (H323) is tcp-high-ports in the log.
As part of housekeeping of the rulebase, an inline layer was created, where the top rule cover traffic from east to west. The H323-servers are part of east and the H323-clients are port of west, so we moved the original rule into the layer, and it looks like this:
Traffic from the servers to the clients now hits this inline rule 8.1, but the H323 devices stopped working.
In the log I could see, that traffic on port 1720 was no longer tcp-high-ports, but H323, which means it is being inspected (the log even told that it was h245 signalling). Then we moved rule 8.1 outside the layer again, and the devices worked again.
Now the question: How come, that this traffic is being inspected when the rule is inside the layer, and not inspected then outside a layer? In the log, port 1720 was matched to H323 not even H323_any, which partly could be explained by the 'Any' in the top layer.