Hi,
I have a 2 networks that seems to not apply Layer 3 Firewall Rules as expected.
Below rule should allow internet browsing for IP 192.168.4.253 but all traffic is denied.
On another network I configured below rule to block all ICMP traffic for testing purposes but can still ping out of network. It shows that traffic is hitting the deny rule but can still ping through.
Regarding the first ruleset.
Regarding your second problem. Are you sure the PC you're testing from is using that MX to go towards the internet? Any group policies that are overriding and giving it access?
Thank you,
Sorted out the first one thank you.
I've double checked and there is no special group policy applying to the pc. All clients on network can ping out even though the rule is specified.
Good to hear.
For the second problem. I tested out with the same rule and it works fine here:
Is it possible there's a rule higher up that allows the pings? The first applicable rule will take the decision.
Moved Rule to top and still allowing traffic.
Can you check with traceroute whether the MX is actually in the path a packet takes?
Can you also remove the IP addresses in the "Allow Remote IPs" column for the "ICMP ping" service. I think those may be interfering as I believe the MX expects the addresses to be listed here to not be present on it's LAN subnets.
One of the first things I checked. Can confirm that its routing via MX.
Removed the IP's from Allowed Remote IP's and still allowing ping to go through.
Tbh, then I don't know what's going on. It seems to me that they shouldn't be going through. As a last resort I'd probably try a packet capture on the WAN port of the MX to see that I actually see those pings going out to make sure we're not overlooking something. VPN software on the laptop may be causing the traffic to be encapsulated.