|
The traffic is being denied by policy 0, particularly if it is hitting with LAN to WAN Policy. Verify with the Forward traffic logs if threat ID 131072' is high 30; verify any IP pool configured on the Firewall Policy.
date=2025-04-04 time=13:18:28 id=7489361892561912073 itime="2025-04-04 13:19:10" euid=3 epid=5877 dsteuid=3 dstepid=101 logflag=3 lover=704062726 type="traffic" subtype="forward" level="notice" action="implicitly deny" policyid=0 sessionid=446442812 srcip=10.1.200.2 dstip=10.0.67.57 srcport=49210 dstport=443 trandisp="noop" duration=0 proto=6 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 logid=0000000013 service="HTTPS" app="HTTPS" appcat="unscanned" srcintfrole="lan" dstintfrole="wan" srcserver=0 policytype="policy" eventtime=1743752909389884680 score=30 craction=131072 crlevel="high" poluuid="3b9fb7dc-e221-51ef-b9c7-50cc7fff1e88" srcmac="00:09:0f:09:02:10"
On the Firewall Policy, verify any Dynamic SNAT configured and follow the action plan below:
- Change from Use Dynamic IP Pool to Use outgoing Interface Address, and verify the traffic flow.
- Do NAT Overload. The range that does not match the Dynamic SNAT Pool; it should work with overload. If the NAT pool gets exhausted with overload again, check with PAT.
Once the IP Pool configuration is changed or set with the correct NAT overload range, the traffic will pass through via the same Policy ID.
In case of multiple outgoing interfaces are referred in firewall policy(SD-WAN) use associate interface under IPPOOL configuration.
So it uses the SNAT from associated interface POOL only.
Related article:
Technical Tip: How to configure SNAT with IP pool
Technical Tip: Avoid NAT port exhaustion
|
