why is the device denying the traffic?

user@host> show configuration security policies from-zone engineering to-zone hr policy
new-policy { match { source-address any; destination-address server1; application
hr-data-feed; } then { permit; } } policy old-policy { match { source-address pc1;
destination-address server1; application any; } then { deny; log { session-init; } } }
user@host> show configuration security policies global user@host> show configuration
security address-book | match server1 | display set set security address-book book2
address server1 172.19.55.20/32 set security address-book book3 address server1
172.20.11.18/32 user@host> show configuration security address-book | match pc1 |
display set set security address-book book1 address pc1 172.18.21.213/32 user@host>
show configuration applications application hr-data-feed { protocol tcp; destination-port
38888; } user@host> run show log flow-traceoptions | no-more Jun 13 15:54:09 host
clear-log[2503]: logfile cleared Jun 13 15:54:10
15:54:10.611915:CID-0:RT:172.18.21.213/38362->172.19.55.20/38888;17> matched filter
filter1: Jun 13 15:54:10 15:54:10.611915:CID-0:RT:packet [40] ipid = 38364, @423e421c
Jun 13 15:54:10 15:54:10.611915:CID-0:RT:—- flow_process_pkt: (thd 3): flow_ctxt type

15, common flag 0x0, mbuf 0x423e4000, rtbl_idx = 0 Jun 13 15:54:10
15:54:10.611915:CID-0:RT: flow process pak fast ifl 70 in_ifp ge-0/0/8.0 Jun 13 15:54:10
15:54:10.611915:CID-0:RT: find flow: table 0x49175b08, hash 9077(0xffff), sa
172.18.21.213, da 172.19.55.20, sp 38362, dp 38888, proto 17, tok 10 Jun 13 15:54:10
15:54:10.611915:CID-0:RT: flow_first_create_session Jun 13 15:54:10
15:54:10.611915:CID-0:RT: flow_first_in_dst_nat: in 0/8.0>, out A> dst_adr 172.19.55.20,
sp 38362, dp 38888 Jun 13 15:54:10 15:54:10.611915:CID-0:RT: chose interface ge-0/0/8.0
as incoming nat if. Jun 13 15:54:10 15:54:10.611915:CID-0:RT:flow_first_rule_dst_xlate:
DST no-xlate: 0.0.0.0(0) to 172.19.55.20(38888) Jun 13 15:54:10
15:54:10.611915:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip
172.18.21.213, x_dst_ip 172.19.55.20, in ifp ge-0/0/8.0, out ifp N/A sp 38362, dp 38888,
ip_proto 17, tos 0 Jun 13 15:54:10 15:54:10.611915:CID-0:RT:Doing DESTINATION addr
route-lookup Jun 13 15:54:10 15:54:10.611915:CID-0:RT: routed (x_dst_ip 172.19.55.20)
from engineering (ge-0/0/8.0 in 0) to ge-0/0/10.0, Next-hop: 172.19.55.20 Jun 13 15:54:10
15:54:10.611915:CID-0:RT:flow_first_policy_search: policy search from zone engineering->
zone hr (0x0,0x95da97e8,0x97e8) Jun 13 15:54:10 15:54:10.611915:CID-0:RT: app 0,
timeout 60s, curr ageout 60s Jun 13 15:54:10 15:54:10.611915:CID-0:RT: Error : get sess
plugin info 0x4c390388 Jun 13 15:54:10 15:54:10.611915:CID-0:RT: Error : get sess plugin
info 0x4c390388 Jun 13 15:54:10 15:54:10.612416:CID-0:RT: packet dropped, denied by
policy Jun 13 15:54:10 15:54:10.612416:CID-0:RT: denied by policy old-policy(6), dropping
pkt Jun 13 15:54:10 15:54:10.612416:CID-0:RT: packet dropped, policy deny. Jun 13
15:54:10 15:54:10.612416:CID-0:RT: flow didn’t create session, code=-1. Jun 13 15:54:10
15:54:10.612416:CID-0:RT: —– flow_process_pkt rc 0x7 (fp rc -1) A user added the
new-policy policy to permit traffic. However, they report that the traffic is still not permitted
by the device. Using the information in the exhibit, why is the device denying the traffic?

user@host> show configuration security policies from-zone engineering to-zone hr policy
new-policy { match { source-address any; destination-address server1; application
hr-data-feed; } then { permit; } } policy old-policy { match { source-address pc1;
destination-address server1; application any; } then { deny; log { session-init; } } }
user@host> show configuration security policies global user@host> show configuration
security address-book | match server1 | display set set security address-book book2
address server1 172.19.55.20/32 set security address-book book3 address server1
172.20.11.18/32 user@host> show configuration security address-book | match pc1 |
display set set security address-book book1 address pc1 172.18.21.213/32 user@host>
show configuration applications application hr-data-feed { protocol tcp; destination-port
38888; } user@host> run show log flow-traceoptions | no-more Jun 13 15:54:09 host
clear-log[2503]: logfile cleared Jun 13 15:54:10
15:54:10.611915:CID-0:RT:172.18.21.213/38362->172.19.55.20/38888;17> matched filter
filter1: Jun 13 15:54:10 15:54:10.611915:CID-0:RT:packet [40] ipid = 38364, @423e421c
Jun 13 15:54:10 15:54:10.611915:CID-0:RT:—- flow_process_pkt: (thd 3): flow_ctxt type

15, common flag 0x0, mbuf 0x423e4000, rtbl_idx = 0 Jun 13 15:54:10
15:54:10.611915:CID-0:RT: flow process pak fast ifl 70 in_ifp ge-0/0/8.0 Jun 13 15:54:10
15:54:10.611915:CID-0:RT: find flow: table 0x49175b08, hash 9077(0xffff), sa
172.18.21.213, da 172.19.55.20, sp 38362, dp 38888, proto 17, tok 10 Jun 13 15:54:10
15:54:10.611915:CID-0:RT: flow_first_create_session Jun 13 15:54:10
15:54:10.611915:CID-0:RT: flow_first_in_dst_nat: in 0/8.0>, out A> dst_adr 172.19.55.20,
sp 38362, dp 38888 Jun 13 15:54:10 15:54:10.611915:CID-0:RT: chose interface ge-0/0/8.0
as incoming nat if. Jun 13 15:54:10 15:54:10.611915:CID-0:RT:flow_first_rule_dst_xlate:
DST no-xlate: 0.0.0.0(0) to 172.19.55.20(38888) Jun 13 15:54:10
15:54:10.611915:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip
172.18.21.213, x_dst_ip 172.19.55.20, in ifp ge-0/0/8.0, out ifp N/A sp 38362, dp 38888,
ip_proto 17, tos 0 Jun 13 15:54:10 15:54:10.611915:CID-0:RT:Doing DESTINATION addr
route-lookup Jun 13 15:54:10 15:54:10.611915:CID-0:RT: routed (x_dst_ip 172.19.55.20)
from engineering (ge-0/0/8.0 in 0) to ge-0/0/10.0, Next-hop: 172.19.55.20 Jun 13 15:54:10
15:54:10.611915:CID-0:RT:flow_first_policy_search: policy search from zone engineering->
zone hr (0x0,0x95da97e8,0x97e8) Jun 13 15:54:10 15:54:10.611915:CID-0:RT: app 0,
timeout 60s, curr ageout 60s Jun 13 15:54:10 15:54:10.611915:CID-0:RT: Error : get sess
plugin info 0x4c390388 Jun 13 15:54:10 15:54:10.611915:CID-0:RT: Error : get sess plugin
info 0x4c390388 Jun 13 15:54:10 15:54:10.612416:CID-0:RT: packet dropped, denied by
policy Jun 13 15:54:10 15:54:10.612416:CID-0:RT: denied by policy old-policy(6), dropping
pkt Jun 13 15:54:10 15:54:10.612416:CID-0:RT: packet dropped, policy deny. Jun 13
15:54:10 15:54:10.612416:CID-0:RT: flow didn’t create session, code=-1. Jun 13 15:54:10
15:54:10.612416:CID-0:RT: —– flow_process_pkt rc 0x7 (fp rc -1) A user added the
new-policy policy to permit traffic. However, they report that the traffic is still not permitted
by the device. Using the information in the exhibit, why is the device denying the traffic?

A.
The traffic does not match the application specified in new-policy.

B.
The traffic is being denied by the more specific old-policy prior to the device evaluating
newpolicy.

C.
The traffic is the first packet in a flow, but is not a SYN.

D.
The traffic does not match the address book entry used in new-policy.

Explanation:



Leave a Reply 0

Your email address will not be published. Required fields are marked *