I was recently troubleshooting an issue where users couldn't access an external website out on the public internet. Traceoptions showed the traffic getting natted appropriately but flow session always showed no packets coming back in. Other traffic to anything else on the web seemed to work just fine. Just this one website was the issue, even though the website was accessible from other locations.
I implemented a firewall filter to match on traffic from the website's IP and tcp/http, log it, then accept it, and accept everything else. Naturally the website started working but here's the odd thing, when the configuration rolled back (as I had done a commit confirmed 5), we were still able to access the website. Granted it should have never been denied, but what could have caused the traffic to not be processed on the way back in but then be allowed by cycling a firewall filter through the config? The srx is in a cluster.
Anyone heard of this?