Screen OS

I apologize if this is a boneheaded rookie mistake but I'm about at my wits end here trying to figure this out.

I've got a simple setup.

Eth0/0 - Untrust (Route)

Eth0/2 - Trust (NAT)

I have policies in trust for:

10.16.x.1

10.16.x.2

10.16.x.3 

etc.

Those IP's have custom services assigned and added to the host IP addresses.

My server:

10.16.x.100 has no policies assigned and it is able to fully connect to the internet.

My policies listing are as follows:

Machine IP policies

2

3

4

5

etc.

Then

any any any deny (log) enabled at the end with policy ID of 1

What I'm hoping to accomplish is any machine that does not have a policy explicity mapped in trust to untrust would have all traffic blocked.  

I'm just trying to figure out what is going on.

Thanks.

-Aaron

What are the network masks you have configured for the address objects in the policies? It sounds like you may have configured each one with a 24-bit mask (i.e. 10.16.x.1/24, 10.16.x.2/24, etc). These should be 32-bit masks (e.g. 10.16.x.1/32) for individual hosts.

Spud I could buy you a beer.  That was it.  10.16.x.x/32 with the policy deny-deny-all at the end worked.  Brain fart on my part as I was configuring all of the equipment with the /24.  Thanks again! 🙂