How is Internet access if there is no allow policy

Forum|Forum|9 years ago
July 27, 2016
1 reply
4591 views

On the firewall policy for 100D

I am currently seeing allow rules for

1) Allow DMZ to Internet

2) Allow DMZ to Local LAN

Implicit deny all is in place.

Endpoint users are currently able to connect to the Internet through the firewall (verified through tracert and the router outside the firewall was found)

If there is no Local LAN to Internet rule, how is it possible for users to connect to Internet?

emnoc

New Member

the diag debug flow is your friend.

e.g

diag debug reset

diag debug enable

diag debug flow filter addr x.x.x.x

diag debug flow show console enable

diag debug flow trace start 100

generate traffic host x.x.x.x and monitor the diag output, alternate you can use the diag system session filter src x.x.x.x and diag system session list to see the session table and policy-id.

e.g

diag sys session filter src 1.1.1.1

diag sys session list | grep policy

Follow up the completion with a diag debug reset and diag debug disable

styrianAuthor

New Member

I am reviewing the firewall config remotely and not able to have the client run the debug commands. In my experience, Rules come in pairs, an incoming (e.g. port1-port2) and outgoing (e.g. port2-port1)

In the current rule sets, I am seeing only one side being configured.

1) Allow DMZ to Internet 2) Allow DMZ to Local LAN

There hasn't been any problems so I'm assuming the firewall is working as intended, but wondering how this can be, is there something I should be looking at instead of the firewall policies?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded