Skip to main content
bcote
bcote
New Member
June 5, 2017
Question

Website unreachable unless specific policy is created

  • June 5, 2017
  • 1 reply
  • 11247 views

Hi,

 

I've come across a website that one of our department uses and since our migration to the new firewall, can't access. After a little bit of troubleshooting, I noticed that if I add a specific rule from my internal LAN to the specific website IP as a Destination, then the website is accessible. What I don't understand is that a similar rule/policy is right under it with ALL as destination and yet, the traffic doesn't go through. All other websites(so far), are reachable and I have not gotten any complaints. Why is this website different?

 

Can anyone explain why the ALL object doesn't seem to work for all? If I am not giving enough information, please let me know.

    1 reply

    rwpatterson
    rwpatterson
    New Member
    June 5, 2017

    What are the SERVICES associated with both policies? Are they the same? Destination is one thing, but if the all destination policy is missing a protocol, then your answer is presented. Additionally if web filtering is enabled, it may be blocked due to some other reason entirely.

    emnoc
    emnoc
    New Member
    June 5, 2017

    The cli cmd diag debug flow is your friend, I would start by analyzing that for clues.

     

    set a filter for the website and then   remove the new policy and see what happens? What does it match? What other security profile might be taking place ?

     

     Also use the cli and show full for the 2 policies and diff the difference, maybe something that's not visible in the webGui is the issue.

     

     

    Ken

     

    bcote
    bcoteAuthor
    New Member
    June 5, 2017

    Hi guys,

     

    thanks for the quick replies. I can confirm all same services are running on both policies. That was my first guess as to why the website was unavailable, but whether I remove all of them or some on either policy, only the policy directly tied to the specific Destination is functional. I will run some debugs and see as you suggested emnoc if there is some GUI/CLI differences that could potentially cause the issue. Will follow up soon.

    Terms & ConditionsAccessibility statement