yes, and thanks for the link, this is helping my transition to the CLI, which I need to do anyway 🙂
****** 09252.0: <Trust/ethernet0/2> packet received [84]******
ipid = 45271(b0d7), @2d5b7910
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/2:10.1.10.3/5->1.2.3.4/24867,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/2>, out <N/A>
chose interface ethernet0/2 as incoming nat if.
flow_first_routing: in <ethernet0/2>, out <N/A>
search route to (ethernet0/2, 10.1.10.3->1.2.3.4) in vr trust-vr for vsd-0/flag-0/ifp-null
PBR lookup params: dst-ip: 1.2.3.4, src-ip: 10.1.10.3, dst-port: 24867, src-port: 5, protocol: 1, dscp: 0
PBR: no route to (1.2.3.4) in vr trust-vr
[ Dest] 1.route 1.2.3.4->1.2.3.4, to ethernet0/0
routed (x_dst_ip 1.2.3.4) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 2-> zone 2
policy_flow_search policy search nat_crt from zone 2-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.2.3.4, port 9404, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
Permitted by policy 320002
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
existing vector list 1-8b5fdc4.
Session (id:128041) created for first pak 1
flow_first_install_session======>
route to 1.2.3.4
arp entry found for 1.2.3.4
ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
outgoing wing prepared, ready
handle cleartext reverse route
search route to (ethernet0/0, 1.2.3.4->10.1.10.3) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2
[ Dest] 5.route 10.1.10.3->10.1.10.3, to ethernet0/2
route to 10.1.10.3
arp entry found for 10.1.10.3
ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 128041
flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/0
flow vector index 0x1, vector addr 0x19878f0, orig vector 0x19878f0
post addr xlation: 10.1.10.3->1.2.3.4.
so why does the section below not find my policy which I have that allows ANY/ANY from Trust -> Untrust on the SSG520 (or am I reading it wrong)?
search route to (ethernet0/2, 10.1.10.3->1.2.3.4) in vr trust-vr for vsd-0/flag-0/ifp-null
PBR lookup params: dst-ip: 1.2.3.4, src-ip: 10.1.10.3, dst-port: 24867, src-port: 5, protocol: 1, dscp: 0
PBR: no route to (1.2.3.4) in vr trust-vr
[ Dest] 1.route 1.2.3.4->1.2.3.4, to ethernet0/0
routed (x_dst_ip 1.2.3.4) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
policy search from zone 2-> zone 2
policy_flow_search policy search nat_crt from zone 2-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.2.3.4, port 9404, proto 1)
No SW RPC rule match, search HW rule
...