Support Center > Search Results > SecureKnowledge Details
Application Control/URL Filtering drops traffic from internal web server
Symptoms
  • Connections to static NAT'd web server do not work.

  • "fw ctl zdebug + drop" debug shows that return traffic from the static NAT'd web server is dropped:

    [DATE TIME];[cpu_10];[fw4_5];fw_log_drop_ex: Packet proto=6 WebServer_Internal_Address:443 -> ExternalHost:46812 dropped by fwpslglue_chain Reason: PSL Reject: ASPII_MT;

  • Behaviour may be inconsistent for NAT destinations on different internal interfaces, in that return traffic from some servers may appear to pass correctly, but return traffic through a different interface may be dropped.
Cause

Application Control/URL Filtering has the host object that is automatically static NATed in the destination column.

Application Control/URL Filtering does not recognize the NAT IP address of the object in the Application Control/URL Filtering rulebase.

If inconsistancies may be present if an internal interface topology "leads to" a large subnet or group of subnets which would overlap with the topology of other interfaces - especially interfaces where "Interface leads to DMZ" is checked, as DMZ inclusion explicitly defines that interface as an External Zone.

Further inconsistancies may be present due to a "leads to" overlap as above, depending on the load order of the interfaces by the OS.


Solution
Note: To view this solution you need to Sign In .