Technical Tip : Things to check when a VDOM is converted from policy based to profile based

When a VDOM is changed from policy-based to profile-based base there can be situations where certain issues might occur, especially with loopback interfaces.

In such instances, consider the following configurations and make sure they are correctly configured.

1. Loopback Interface Configuration.

Ensure the loopback interface still has the correct IP address and is enabled.
Confirm that ping, HTTPS, and SSH are allowed on the loopback interface.

2. Firewall Policies.

In profile-based mode, it is required to configure explicit firewall policies for traffic to reach the loopback interface.
Create a policy from the WAN interface to the loopback interface allowing the necessary services (ping, HTTPS, SSH).

3. Routing.

Ensure there is a route back to the source IPs trying to access the loopback.
If the loopback IP is public, make sure it’s advertised properly or reachable via a static/default route.

4. VIP or DNAT.

If the public IP is NATed to the loopback, ensure the VIP (Virtual IP) or DNAT rules are still in place and correctly mapped.

5. Security Profiles.

In profile-based mode, security profiles (like IPS, AV, etc.) can block traffic if misconfigured.
Temporarily disable profiles in the policy to test if they are causing the issue.

6. Session Helper or Local-In Policies.

Check if any local-in policies are blocking access to the loopback.

7. NAT Settings.

If NAT is enabled in the policy, ensure it’s not overriding the destination IP or causing asymmetric routing.