Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 8747 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy Test tool issues

shred

When using the Policy Test tool, it's showing my the device I'm testing (computer I'm on) using what appears to be the wrong firewall rule. The firewall rule this computer is using sits above an 'Allow All' firewall rule:

Firewall Rule (computer) - Source: LAN, MAC Host; Destination: WAN, Any Host; Services: DNS, HTTP, HTTPS, SMTPS, IMAPS, etc.

Firewall Rule (allow all) - Source: LAN, Any Host; Destination: WAN, Any Host; Services: Any

The Policy Test I'm running is to www.google.com which shows its using TCP port 80 (HTTP), so it should be utilizing the first firewall rule. The weird part is if I disable the bottom 'Allow All' firewall rule, I can still browse the internet just fine on my computer because I believe it's using the higher firewall rule, but when I run the Policy Test tool, it shows it being denied and hitting the default hidden deny all rule.

Anyone else seeing similar results with the Policy Test tool?



This thread was automatically locked due to age.
Parents
  • +1

    Can you provide screenshots of your firewall rules, the policy test (both what you are entering in and the results), what you expect the policy tester to reply, and how the system actually behaves when you run traffic through it.  And a copy of the MAC Host.

     

    My guess - and this is just a guess - is that it has trouble matching rule based on the "MAC Host".  The policy tester is based on the entered in source IP, and it may not be able to resolve the IP to be the same thing as the MAC Host object (since the IP of the MAC Host can change).  Would it be possible for you to temporarily try with an IP Host object instead?

Reply
  • +1

    Can you provide screenshots of your firewall rules, the policy test (both what you are entering in and the results), what you expect the policy tester to reply, and how the system actually behaves when you run traffic through it.  And a copy of the MAC Host.

     

    My guess - and this is just a guess - is that it has trouble matching rule based on the "MAC Host".  The policy tester is based on the entered in source IP, and it may not be able to resolve the IP to be the same thing as the MAC Host object (since the IP of the MAC Host can change).  Would it be possible for you to temporarily try with an IP Host object instead?

Children
  • 0 in reply to Michael Dunn

    Michael Dunn said:

    Can you provide screenshots of your firewall rules, the policy test (both what you are entering in and the results), what you expect the policy tester to reply, and how the system actually behaves when you run traffic through it.  And a copy of the MAC Host.

     

    My guess - and this is just a guess - is that it has trouble matching rule based on the "MAC Host".  The policy tester is based on the entered in source IP, and it may not be able to resolve the IP to be the same thing as the MAC Host object (since the IP of the MAC Host can change).  Would it be possible for you to temporarily try with an IP Host object instead?

    Well, it looks like your guess is correct. Most of my firewall rules are setup using 'MAC Host' that I created for each device (since I don't have a static IP address for each device). I created an 'IP Host' for my MacBook Air and added it to the same firewall rule that it's on via its 'MAC Host'. After that, I ran the Policy Test to www.google.com with the MacBook Air's IP address and sure enough, it's now showing the correct firewall rule in use.

    I'm assuming/hoping this is just an issue with the Policy Test tool that can be fixed and not an issue with other parts of the firewall. I'm fairly certain my devices are using the correct firewall rule as it appears correct in the log viewer and when I make changes to the firewall rule settings, it appears to affect my devices as expected. Is there somewhere I should submit a bug report or does this thread suffice?

    Appreciate the help!

  • 0 in reply to shred

    I've raised the issue internally but it will get more "weight" if there is a support case against it, so feel free to raise a support ticket as well.  However there may be technical difficulties in resolving this.  If the MAC Host is not associated with an IP address, or if the association is only a temporary cache this may be a limitation that there is no easy way around (unless we make MAC Host part of the UI of the Policy Tester, which just complicates things).  It is just as likely that this will be documented as a known issue in Help/KB.