This is in an MX84 running 15.44
I have an issue related to permitting traffic through the MX based on the L3 rule dst being defined as a domain name.
The client points to the MX for its DNS.
This works perfectly:
L3 rule> Allow ICMPv4 src:Any dst:google.com
A ping google.com on the client works, proving that the DNS snooping is working and the traffic is matching the name in the rule dst
I have another example of using a domain name as the dst which DOES NOT work:
Allow TCP src:<client IP addr> dst: <domainname> dst_port:22
We then have a scheduled job which executes this command file:
C:\winscp\winscp.com /script=c:\winscp\scripts\getrecipe.txt /log="c:\winscp\scripts\getrecipe.log" /loglevel=0 /logsize=2*10K
Exit
The getrecipe.txt file contains the following command:
OPEN SFTP://<username>:<password>@<domainname.com> -hostkey="ssh-rsa 1024 MKA*********************WelyJtFd **********"
Which fails with an error unable to open <domainname.com>
It resolves the name ok in DNS as we see it in the clients ipconfig /displaydns – for some reason the SFTP traffic is not matching the rule that permits it out.
If I put the public IP address of the dst <domainname.com> in the dst then it works, proving the MX is not matching the name it looked up.
So why does the PING L3 rule match using the dst domainname but the SFTP does not?
Any ideas anyone as its driving me mad 🙂