不涉及
直连ping不通,debug显示被策略丢弃,但是看不到debug security-policy的日志,看不出被什么策略丢弃,查看配置在最后放通了Trust-Local的策略的。
*Nov 26 09:30:32:779 2021xxxx ASPF/7/PACKET: -COntext=1; The first packet was dropped by packet filter or object-policy. Src-ZOne=Trust, Dst-ZOne=Local;If-In=Vlan-interface4091(156), If-Out=InLoopBack0(148); Packet Info:Src-IP=10.3.0.211, Dst-IP=10.212.201.249, VPN-Instance=none, Src-Port=1, Dst-Port=2048. Protocol=ICMP(1).
*Nov 26 09:30:32:779 2021 xxxx IPFW/7/IPFW_INFO: -COntext=1;
MBUF was intercepted! Phase Num is 4(local in beforedefrag), Service ID is 1(interzone), Bitmap is 4400000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Vlan-interface4091,
s= 10.3.0.211, d= 10.212.201.249, protocol= 1, pktid = 12656.
1、trust-local域的icmp报文被前面一条拒绝策略给拒绝了,位置更前先匹配拒绝,后面添加的策略匹配不到。
2、设备上配置了info-center source FILTER monitor deny,导致debug安全策略不显示,看不到被哪条策略丢弃。
1、将trust-local的icmp策略前移,允许报文匹配。
2、undo info-center source FILTER monitor ,可正常输出安全策略的debug日志。
info-center source FILTER monitor deny:这条命令使filter模块的所有日志均不输出,也包含debug 策略这部分。
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作