hi,
can anyone help me to figure out why the below rule is not working?
below is my scenario. from host x.x.x.y i can still ping host x.x.z.z
Solved! Go to solution.
i also try Deny ICMP but still not working. what works for is create a group policy and define the L3 rules in the group policy then apply the group policy to the x.x.z.0 subnet. the rules that i define in the group policy is the same rules i define in the firewall configuration, but in firewall configuration those rules are not working.
Have you run packet captures on the MX, on both WAN and LAN sides, to confirm what packets are ingressing/egressing the MX? Assuming the MX is in NAT mode, and not VPN/Passthrough mode in which case it's just a bump in the wire? And just for troubleshooting, instead of ANY protocol, try specifying ICMP to see if that changes the behavior and if so, open a case to investigate. Also, depending on FW version you might be able to toggle on inbound FW logging on the firewall config page.
When the rule is applied it won't affect current network flows immediately. You might just want to reboot the clients or refresh their network settings and test again.
both hosts are connected to MX LAN ports and the VLANs for the hosts are defined locally in the MX.
That shouldn't matter. How about adding the reverse rule too?
reset network setting on both hosts, test again, rule still not working
add reverse rule but still not working
Well, back to MerakiDave's suggestion, I guess.. Look at a LAN side packet capture and see what is happening. If it is not right, call support and show them.
Any chance their is a permit rule above this that might be allowing it?
There are no hits on your rule. Double check for any typo's in the IP addresses, and for any permit rules above the deny which might be permitting the traffic.
Agreed that x.x.z.z should be source and the other as destination. Also make sure the computers you are testing from are not whitelisted. Lastly see if you can test something other than ping if it has any other services. And for testing's sake try setting the Deny Any to Deny ICMP. For some reason, I seem to remember that 'Any' possibly doesn't include ICMP but I could be remembering that incorrectly.
i also try Deny ICMP but still not working. what works for is create a group policy and define the L3 rules in the group policy then apply the group policy to the x.x.z.0 subnet. the rules that i define in the group policy is the same rules i define in the firewall configuration, but in firewall configuration those rules are not working.