Print

域间策略命中优先级导致业务异常

孔梦龙
4小时前 发表

组网及说明

告警信息

#
object-group ip address 192.168.44.1
 0 network host address 192.168.44.1
#
#
object-policy ip Trust-any-192.168.44.1
 rule 5 drop source-ip 192.168.44.1
#
#
zone-pair security source Trust destination Any
 object-policy apply ip Trust-any-192.168.44.1
 packet-filter 2000
#
zone-pair security source Trust destination Untrust
 packet-filter 2000
#
#
acl basic 2000
 rule 0 permit
#

 

问题描述

现场如上配置后,192.168.44.1访问1.1.1.2正常,不符合预期;

 

过程分析

域间策略中any优先级最低;

trust访untrust,优先命中了zone-pair security source Trust destination Untrust,而非any

解决方法

#
zone-pair security source Trust destination Any
 packet-filter 2000
#
zone-pair security source Trust destination Untrust
 object-policy apply ip Trust-any-192.168.44.1
 packet-filter 2000
#