SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Firewall filter unintentionally fixes traffic that should have already been allowed.

    Posted 03-31-2014 12:30

    I was recently troubleshooting an issue where users couldn't access an external website out on the public internet.  Traceoptions showed the traffic getting natted appropriately but flow session always showed no packets coming back in.  Other traffic to anything else on the web seemed to work just fine.  Just this one website was the issue, even though the website was accessible from other locations.

     

    I implemented a firewall filter to match on traffic from the website's IP and tcp/http, log it, then accept it, and accept everything else.  Naturally the website started working but here's the odd thing, when the configuration rolled back (as I had done a commit confirmed 5), we were still able to access the website.  Granted it should have never been denied, but what could have caused the traffic to not be processed on the way back in but then be allowed by cycling a firewall filter through the config? The srx is in a cluster.

     

    Anyone heard of this?



  • 2.  RE: Firewall filter unintentionally fixes traffic that should have already been allowed.

    Posted 04-01-2014 22:58

    I  believe that the commit operation itself had changed something and not the firewall filter.

    This could have been a mere co incidence.

     

    c_r

    [Click the "Star" for Kudos if you think I earned it!
    If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]



  • 3.  RE: Firewall filter unintentionally fixes traffic that should have already been allowed.

    Posted 04-03-2014 13:07

    And i would have thought that as well, but we had done a previous commit on the system prior to this during the issue in order to set up some security flow traceoptions, and there was no change.  At this point everything is working again so everyone is happy, just an odd issue.



  • 4.  RE: Firewall filter unintentionally fixes traffic that should have already been allowed.
    Best Answer

    Posted 04-11-2014 07:20

    One point to note about commit. When it is issued it restarts the processes that were impacted by the changes made. Perhaps there was a problem with another process and your FF change caused that process to restart and the resolution occured as a result. 

     

    One thing you can do when you are troubleshooting is issue the hidden command "commit full" which forces a restart of all the processes on the box.



  • 5.  RE: Firewall filter unintentionally fixes traffic that should have already been allowed.

    Posted 04-29-2014 11:07

    Sad to say it, but the issue came back for the client.  We were troubleshooting with JTAC but the client has decided to abandon the issue.