Scenario:

• A more specific route was added.
• A new policy was created above the existing policy.
• Test done from connected PC with IP 10.x.x.173 to 8.8.8.8 (ping).

From the forward traffic logs, traffic is still hitting the previously configured policy.

The following needs to be done:

1. Ensure that the policy is created correctly (source and destination interface), and policy match tools should show that traffic is matching the new policy.

Confirm the direction of the policy is as intended. In this example, it should be from port2 to IPsec. 

Policy lookup tools show that the traffic would match the new policy, which means the policy order is correct. 

2. Check if there is any existing session.

    

diagnose sys session filter src <source ip>

diagnose sys session filter dst <destination ip>

diagnose sys session list 

To check the policy using CLI, use the syntax of the policy lookup command as follows:

diagnose firewall iprope lookup <src ip> <src port> <dst ip> <dst port> <protocol> <Incoming_interface>

3. It is noticeable that there are existing sessions where the duration is much longer than the created policy.

For such cases, it is necessary to clear the existing session:

diagnose sys session filter src <source ip>

diagnose sys session filter dst <destination ip>

diagnose sys session list     --> This will list current active sessions that match the above filter.

diagnose sys session clear   --> This will only clear the session that matches the above filter.

After the session is clear, traffic should be able to match the newly created policy.