skroesen
Contributor
Contributor

Distributed Firewall Assistance

I am putting in some DFW policy learning how it responds.  I still have a catch all any/any rule and currently not dropping any traffic.  I am getting some behavior I am unable to figure out.  I have a group of 4 DNS appliances (VMs) in the center and the policy configured as below.  

skroesen_0-1620730830366.png

skroesen_1-1620731140813.png

 

All of the IPs in the "Unknown" group on the right match the DFW policy as I would expect.  The traffic from the VMs on the cluster do not match the traffic policy at all.  You can see below they don't hit policy as they are "unprotected". 

skroesen_2-1620731502868.png

If I click unprotected, the Source Rule ID is 2 (this is my catch all any/any that is further down in the DFW policies), and the Destination Rule ID is the rule in the screenshot above.  

skroesen_3-1620731592711.png

 

Now if I look at a flow of one of the green lines from the other group out on the physical network here are the findings.  The traffic matches the policy and is "allowed".  If I click on allowed the Source Rule ID is unknown.  This is consistant on all of the green "allowed" traffic.  Why the different behavior between IPs on the physical network and IPs on VMs on the same cluster?  

skroesen_4-1620731703289.png

 

 

0 Kudos
0 Replies