Screen OS

I have a NS5GT wireless with 5.4.r3a code.

I have a policy to block most of asia and a few others that we all know generate a lot of useless traffic.

The problem is, my firewall is blocking nothing.  I have one IP coming through my SMTP policy that I set a policy to deny only that IP, and it is still getting by.

Has anyone seen this or have suggestions to fix it?

Turn on logging for your policies to see which one the traffic is even hitting.

Most of the time when this happens to me I eventually find out that the traffic I am trying to block is hitting an allow rule first and getting through that way.  Take a look at the order of your policies and make sure they apply in a way that blocks what you don't want and allows what you want.

Thanks for the reply Steve,

I have the bolck policy as the first policy from untrust to trust so that it "should" hit that, but it isn't.  It hits the SMTP MIP policy that is number 4 in the policy order.

I manage about 6000 5GT's and SSG5, and JNCIA, but this one doesn't seem to want to follow the rules for some reason

Interesting issue.

I found this kb  10891 that may be your answer.

Summary:
'Deny' all policy above MIP 'permit' policy does not drop the packets to the MIP address

Symptoms & Errors:

• How to block traffic to a MIP address
• How to use policy to block the traffic which has the destination to a MIP address on the firewall
• Configuring a policy to deny traffic to any MIP
• Deny Policy above MIP permit policy does not prevent traffic to the MIP policy
  
• Deny Policy above MIP access policy is not blocking MIP traffic
• Normal Deny Policy, 'set policy from zone1 to zone2 source-ip dest-ip service DENY' does not take the action for traffic that has the MIP as the destination

I guess maybe I either wasn't patient enough, but it did start blocking after I set the MIP as the destination earlier today, just wasn't showing in the logs.

Thanks for the KB though!