Application Control/URL Filtering drops traffic from internal web server

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk119432
Product	Application Control, URL Filtering, Security Gateway
Version	R77.30
Date Created	31-Jul-2017
Last Modified	12-Aug-2018

Symptoms

Connections to static NAT'd web server do not work.
"fw ctl zdebug + drop" debug shows that return traffic from the static NAT'd web server is dropped:

[DATE TIME];[cpu_10];[fw4_5];fw_log_drop_ex: Packet proto=6 WebServer_Internal_Address:443 -> ExternalHost:46812 dropped by fwpslglue_chain Reason: PSL Reject: ASPII_MT;
Behaviour may be inconsistent for NAT destinations on different internal interfaces, in that return traffic from some servers may appear to pass correctly, but return traffic through a different interface may be dropped.

Cause

Application Control/URL Filtering has the host object that is automatically static NATed in the destination column.

Application Control/URL Filtering does not recognize the NAT IP address of the object in the Application Control/URL Filtering rulebase.

If inconsistancies may be present if an internal interface topology "leads to" a large subnet or group of subnets which would overlap with the topology of other interfaces - especially interfaces where "Interface leads to DMZ" is checked, as DMZ inclusion explicitly defines that interface as an External Zone.

Further inconsistancies may be present due to a "leads to" overlap as above, depending on the load order of the interfaces by the OS.

Solution

Note: To view this solution you need to Sign In .