Skip to main content
vincentdekeyzer
vincentdekeyzer
New Member
November 13, 2018
Question

Policy not matched

  • November 13, 2018
  • 2 replies
  • 11422 views

Hello,

 

I have the following policy:

 

config firewall policy     edit 56         set uuid a497a8c0-e751-51e8-a83e-2d7a00d741ce         set srcintf "NOCSWITCH"         set dstintf "Interconnect"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"     next end

 

... and yet I get the following message when trying a policy lookup:

 

Policy lookup matches the implicit deny policy. No explicit policy exists from source interface "NOCSWITCH" to destination interface "Interconnect" as determined by a route lookup to "10.240.0.3"

 

This does not make sense - or am I missing something obvious?...

 

Regards,

 

Vincent

    2 replies

    Dave_Hall
    Dave_Hall
    New Member
    November 13, 2018

    What subnet/mask do you have for "NOCSWITCH"?  In the firewall address section, "all" should have no actual value set for it (e.g. defaulting to wildcard 0.0).

     

    Edit: Check to see there are no other firewall rules that supersede this rule.  Remember that firewall rules are processed from top-to-bottom.

    vincentdekeyzer
    vincentdekeyzerAuthor
    New Member
    November 13, 2018

    Hi Dave,

     

    thanks for your message.

     

    "All" indeed is the default 0.0.0.0/0:

     

    config firewall address     edit "all"         set uuid bcdc519a-68c7-51e4-3bb3-1ae9963b0092     next end

    which includes 10.0.8.11, which is the host from where the dropped traffic comes:

     

    config system interface     edit "NOCSWITCH"         set vdom "root"         set ip 10.0.8.1 255.255.255.0         set allowaccess ping https ssh snmp http         set vlanforward enable         set type switch         set role lan         set snmp-index 26     next end

    I don't think there is a policy above that supersedes policy, since I get the "Policy lookup matches the implicit deny policy" message. And anyway, there is no other "Deny" policy than the implicit one.

     

    Keeps being weird, right?... :(

     

    Vincent

    vincentdekeyzer
    vincentdekeyzerAuthor
    New Member
    November 15, 2018

    OK, I found my mistake: the loopback interface of the firewall had an incorrect mask (10.240.0.2/31), which made it overlap with the 10.240.0.3 that I was trying to reach from 10.0.8.11, and this clearly (and to some extent understandably) confused the firewall.

     

    I corrected the mask and it now works.

    Terms & ConditionsAccessibility statement