ATP800 firewall zone rule continue working after delete VTI from zone
ATP800.
Default policy deny all traffic.
Created rule to allow all from ipsec to ipsec.
After delete VTI interface from zone ipsec and added it to new zone, traffic from this interface continue goes to ipsec.
Logs show, that traffic goes via rule ipsec to ipsec.
src="172.20.67.2:44714" dst="172.20.16.9:135" msg="priority:178, from IPSec_VPN to IPSec_VPN, TCP, service others, ACCEPT" note="ACCESS FORWARD" user="unknown" devID="aabbccddeeff" cat="Security Policy Control" class="Access Control" ob="0" ob_mac="000000000000" dir="IPSec_VPN:IPSec_VPN" protoID=6 proto="others"
How it could be on firewalls?
Screenshots:
vti999 that in zone cloud
goes to vti1 in zone ipsec
default rule to deny all
All Replies
-
Hello @alexey,
Do you mean that you have two VTIs that are located in different zones and the traffic between them should be denied by default rule but the logs show it has been allowed by the rule "IPSec_VPN to IPSec_VPN"?Please share your interface settings and the security policy for further checking, thanks.
James
0 -
Yes, i mean that.
In beginning this 2 VTIs was in 1 default ipsec zone.
After i remove vti999 grom ipsec zone and add to new custom zone cloud, traffic not start blocking.
Accepts by rule PSec_VPN to IPSec_VPN
0
Categories
- All Categories
- 398 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 83 Nebula Status and Incidents
- 5.2K Security
- 99 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 922 WirelessLAN
- 35 WLAN Ideas
- 5.9K Consumer Product
- 212 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.1K FAQ
- 1K Nebula FAQ
- 445 Security FAQ
- 238 Switch FAQ
- 213 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 142 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight