I went through this nightmare a few days ago, gateway default deny, i then created a default deny in the application rules of the dfw (since the default seems to be allow!!!) and then used the other sections for infrastructure services. seems to work and deny all works.
I tried to use the GW for NS traffic and DFW for EW but that just ended up being a nightmare and a pain to diagnose since we do not have a paid for subscription to log intel. Now its deny all in all areas and the DFW to do the work
Thanks for responding back. So, what do you wan't me to do exactly?
It should work but few questions to understand more about your setup.
- Can you share exact rules you have defined. Static or Dynamic groups.
- Have you root caused why DNS query is failing.
- Does DNSserver IP outside T1 GW (over its uplink).
- Presume you have routes available for DNS server and back.
I'm sorry for my terrible drawing, but simply this is my network. I use only a Tier-0 GW. Everything is reachable as long as I don't use the GW firewall, once I enable the rules, only one of them works, and traffic sticks to it, meaning that no further rules process traffic. I fix this by disabling the "catch all" rule (I crated it), but I think traffic goes to the default NSX catch-all rule that is set to "Allow" and I am unable to edit it. Rule logging counts for the rules I set, sometimes not always, there's something wrong. The rules are here:
1- "Internet", source: any, destination: 0.0.0.0/0 (there's a static route for it and works fine if no firewall rule is enabled, I also use BGP ny the way), mode: allow.
2- "DNS", source: any, destination: DNS_IP, set to allow indeed.
3- "DHCP", source: any, destination: the cisco router.
4- "DenyAll", source; any, dest: any, and set to "drop".