Screen OS

i have a problem when tesing policy on SSG-520M

i setup 2 policies from trust to untrust,each contains different group of source IP addresses,with logging checked.

i was stunned by the result that all tracffic went throught 1st policy disregarded source IP,LOG for 2nd policy kept empty.

as a matter of fact,every PC is able to visit untrust zone whenever i set its GW to this 520M

i guess i must have missed something?

could anyone here give some hint?

Bit strange, because if a source is not specified in policy then device wont permit that.

Could you please double check the source subnet applied in 1st policy and see if it has a wrong subnet mask which covers  all the hosts hence they are going via 1st policy ?

pls pay attention to policy ID3,ip172.20.28.229

Could you please share the config

pls give me your email address

Thanks for sharing the config. I have verified and the issue is due to subnet mask for addresses used in policy 3.

You have used /22 which include all the IPs mentioned in policy 6 as well.

Please update the subnet mask for addresses used in policy 3 and issue should be fixed.

Regards

Sarab

------------------------------------------------------------------------------------

[If it helped please mark it as "Accepted Solution". Kudos will be appreciated too.]

i thought that IP/mask(22)  indicated one IP,but actually it was a segment.

I need to change all IP setting.

thank you.