Troubleshoot traffic that is incorrectly stopped by the firewall
The Firewall might incorrectly stop traffic that you want to allow. To check possible configuration errors, use log entries to locate the correct policy.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
In the Logs view, check whether the connection is logged.
- Add a quick filter for both the source and destination IP address of the traffic you want to allow in the Query pane and click Apply.
- If the logs show that the connection is discarded or refused by a rule, click the Rule Tag link in the log entry to check the rule.
-
Check the Access rules and NAT rules of the active policy for rules that match the same source, destination, and service.
- Open the Search Rules pane through the policy view’s toolbar, then drag and drop the corresponding elements to the search fields at the bottom of the rule table.
- Select Show Only Matching Rules from Options in the search pane.
- Deselect Do Not Match ANY from Options in the search pane.
- If several rules are shown, the topmost rule is the one that is applied, unless the Source VPN cell (in IPv4 Access rules) has a definition that does not match. The other cells are not used for matching, but define options for what happens when traffic does match.
-
If the first matching Access rule is set to allow the traffic, check that other parts of the rule are correct:
- Some protocols require the correct Protocol Agent, which is set by including the correct Service with the correct Protocol attached. In some cases, you might need to change the options of the Protocol Agent.
- ANY rules do not use most Protocol Agents by default.
- You can create new Services for any source or destination port or port range as needed.
- The Connection Tracking Action options define if stateful inspection is used and how strict the checks are. Connection tracking allows NAT rules to be applied to the connection and a rule table where reply packets do not need to be separately allowed. The Firewall checks that the communications follow the standards of the protocol used and discards invalid communications. If invalid communications must be allowed, you might need to adjust connection tracking options.
- If there is a matching NAT rule, make sure that they are applied correctly. Particularly, dynamic NAT must only be used for protocols that work on top of TCP or UDP because dynamic NAT uses ports to track the translated connections.
- Check your routing configuration. If Routing is incorrectly configured on the Firewall, packets can be dropped because the Firewall has no route where to send them.