Solved: ZBF zone based firewall on ASR 1000

a.ascione · ‎09-19-2018

Hi

Group any idea how this could happen in zone based firewall:

sh policy-map type inspect zone-pair sessions

Zone-pair: Guest->Internet
Service-policy inspect : Guest_to_Internet

Class-map: Guest_Protocols (match-any)
Match: protocol http
Match: protocol https
Match: protocol dns
Match: protocol bootpc
Match: protocol bootps
Match: access-group name permitany
Pass
0 packets, 0 bytes

Class-map: class-default (match-any)
Match: any
Pass
2242890 packets, 1858326904 bytes

As you can see I get no matches on the first part of my policy map (Class-map: Guest_Protocols) although the users in the "Guest" zone are able to surf...

Any ideas how I could troubleshoot this ?

Thanks in advance for your suggestions.

a.ascione · ‎10-02-2018

The problem was solved with a reboot of the router

View solution in original post

Mohammed al Baqari · ‎09-19-2018

Can you get the output of the following

show policy-firewall session platform tcp destination-port 80 detail

show policy-firewall config platform

a.ascione · ‎09-19-2018

Hi Mohammed,

thank you for your quick reply.

It seems that the show policy-firewall sessions platform remains empty.

So the command that you are asking is obiously also empty.

But that is probably because the packets are not matching on inspect rules.

The second command gives a very long output; I'm adding it in attachment.

thx

Mohammed al Baqari · ‎09-19-2018

I don't see any attachment

a.ascione · ‎09-20-2018

sorry, it is ok now I have added it to the original message.

regards

a.ascione · ‎10-02-2018

The problem was solved with a reboot of the router