Business Application Firewall Rule Works Externally But Not Internally

Question

I've created a number of business application firewall rules (both WAF & DNAT) to allow external access to internal resources on the LAN. 
 I've tested all the rules from an external connection & confirmed they work as expected. 
 However, when testing the rules from an internal connection (originating from the LAN), all of the rules work except for one. (Yet this same one works for external connections.) 
 I've spent a decent amount of time pouring over the Log Viewer going over the Application Filter, Firewall, IPS & Web Server Protection logs but I'm not seeing anything (blocked or allowed or otherwise) from the local source IP address destined to either the external IP or the local IP. 
 
 In short I could use some assistance in trying to intelligently narrow the scope of troubleshooting potentially starting with understanding why I'm not seeing this traffic in any of the logs. 
 Thanks

Ronak Sheth · Accepted Answer

Hello Julius Perkins , 
 
 First, can you confirm the rule which is not working is a WAF or DNAT? if it is a DNAT and your source IP and the destination IP is in the same IP network, you will have to enable NAT- Rewrite source address (masquerading). DNAT rule without NAT will create asymmetric routing. 
 
 To troubleshoot further, please share the screenshot of you nonworking firewall rule, Source IP, Port number and network interface IP on which you have configured the firewall Rule. 
 
 Regards, Ronak.

Emile Belcourt · Answer

Hi Both, 
 You can create loop back rules but you have to make sure the source IP is masqueraded else you'll get an asymmetric route and the client will receive a response from a martian (unsolicited source). 
 Could you share some screenshots of the rule that isn't working? 
 Emile

Ronak Sheth · Answer

Hello Julius Perkins , 
 
 I would recommend you to create two separate DNAT Rule. First with Source zone LAN with 'Rewrite source address (masquerading)' and the second with source zone WAN or Any without 'Rewrite source address (masquerading)' and place it bellow the above DNAT rule. 
 
 As MASQ on WAN traffic will NAT the Source IP with the XG interface IP. Due to this the log viewer on the server will report incorrect IP address. 
 
 Regards, Ronak.

Julius Perkins · Answer

Hey there Ronak Sheth and thank you for taking the time to reply. 
 The rule in question did happen to be a DNAT and you are correct: Enabling the 'Rewrite source address (masquerading)' option and selecting the appropriate outbound address (The default MASQ rule was sufficient.) immediately allowed the connections originating on the LAN. 
 Much appreciated!

Julius Perkins · Answer

Hi - I appreciate the explanation here as it helped to further demystify the problem. Enabling masquerading allowed the rule to work for connections on the same network. Thanks again!