ATP800 firewall zone rule continue working after delete VTI from zone
ATP800.
Default policy deny all traffic.
Created rule to allow all from ipsec to ipsec.
After delete VTI interface from zone ipsec and added it to new zone, traffic from this interface continue goes to ipsec.
Logs show, that traffic goes via rule ipsec to ipsec.
src="172.20.67.2:44714" dst="172.20.16.9:135" msg="priority:178, from IPSec_VPN to IPSec_VPN, TCP, service others, ACCEPT" note="ACCESS FORWARD" user="unknown" devID="aabbccddeeff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="IPSec_VPN:IPSec_VPN" protoID=6 proto="others"
How it could be on firewalls?
Screenshots:
vti999 that in zone cloud
goes to vti1 in zone ipsec
default rule to deny all
All Replies
-
Hello @alexey,
Do you mean that you have two VTIs that are located in different zones and the traffic between them should be denied by default rule but the logs show it has been allowed by the rule "IPSec_VPN to IPSec_VPN"?Please share your interface settings and the security policy for further checking, thanks.
James
0 -
Yes, i mean that.
In beginning this 2 VTIs was in 1 default ipsec zone.
After i remove vti999 grom ipsec zone and add to new custom zone cloud, traffic not start blocking.
Accepts by rule PSec_VPN to IPSec_VPN
0
Categories
- All Categories
- 392 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 81 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 913 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 336 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 904 Nebula FAQ
- 415 Security FAQ
- 235 Switch FAQ
- 206 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 138 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight