ATP800 firewall zone rule continue working after delete VTI from zone
ATP800.
Default policy deny all traffic.
Created rule to allow all from ipsec to ipsec.
After delete VTI interface from zone ipsec and added it to new zone, traffic from this interface continue goes to ipsec.
Logs show, that traffic goes via rule ipsec to ipsec.
src="172.20.67.2:44714" dst="172.20.16.9:135" msg="priority:178, from IPSec_VPN to IPSec_VPN, TCP, service others, ACCEPT" note="ACCESS FORWARD" user="unknown" devID="aabbccddeeff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="IPSec_VPN:IPSec_VPN" protoID=6 proto="others"
How it could be on firewalls?
Screenshots:
vti999 that in zone cloud
goes to vti1 in zone ipsec
default rule to deny all
All Replies
-
Hello @alexey,
Do you mean that you have two VTIs that are located in different zones and the traffic between them should be denied by default rule but the logs show it has been allowed by the rule "IPSec_VPN to IPSec_VPN"?Please share your interface settings and the security policy for further checking, thanks.
James
0 -
Yes, i mean that.
In beginning this 2 VTIs was in 1 default ipsec zone.
After i remove vti999 grom ipsec zone and add to new custom zone cloud, traffic not start blocking.
Accepts by rule PSec_VPN to IPSec_VPN
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight