In FireWall rulebase, the Service may be evaluated before evaluating the Source or the Destination.
Example:
-
Configuration:
- '
CACTI
' object represent SNMP Management machine that queries Hosts on the network.
- '
snmp_v3
' is a custom service, in which 'Protocol Type
' was set to 'SNMP_V3
'.
- '
snmp
' is a pre-defined service, in which 'Protocol Type
' is not set at all.
- Rulebase (pay attention to the order of the security rules):
NO. |
SOURCE |
DESTINATION |
SERVICE |
ACTION |
TRACK |
1 |
CACTI |
Any |
snmp_v3 |
Accept |
Log |
2 |
Any |
CACTI |
snmp_v3 |
Accept |
Log |
3 |
Any |
Any |
snmp |
Accept |
Log |
-
Issue:
- Both SNMP v1 traffic and SNMP v2 traffic were dropped, although this traffic was not sent to / from '
CACTI
' object.
-
Workarounds:
- Moving the rule with pre-defined service '
snmp
' (that should accept both SNMP v1 / SNMP v2 traffic) above the rules with custom service 'snmp_v3
'.
- In the custom service '
snmp_v3
', setting the 'Protocol Type
' to 'None
'.