Descripción del problema
La configuración actual de las políticas es la siguiente:
policy interzone trust untrust outbound
policy 1
action permit
policy service service-set icmp
policy service service-set http
policy source address-set “172.21.15.0/24”
policy 2
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.4.0/24"
policy 50
action deny
El cliente controla el servicio cuando el tráfico es desde la zona confiable (trust zone) hacia zona no confiable (untrust zone). Ahora, el cliente agrega una nueva política de control de servicio a una nueva subred. La configuración se muestra a continuación:
policy 3
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.16.0/24"
El cliente encuentra que la política configurada no coincide con su requerimiento. No hay control de servicio en la esta red. Encuentro que la configuración esta fuera de lo esperado:
policy interzone trust untrust outbound
policy 1
action permit
policy service service-set icmp
policy service service-set http
policy source address-set “172.21.15.0/24”
policy 2
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.4.0/24"
policy 50
action deny
policy 3
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.16.0/24"
Proceso de manejo del problema:
La política 50 se encuentra antes de la política 3. Después de revisar la información del documento, se encontró que la prioridad de la política no está relacionada con su ID.
Solución:
Usar el comando “policy move 3 before 50” para revisar el problema. La configuración final es:
policy interzone trust untrust outbound
policy 1
action permit
policy service service-set icmp
policy service service-set http
policy source address-set “172.21.15.0/24”
policy 2
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.4.0/24"
policy 3
action permit
policy service service-set http
policy service service-set https
policy service service-set smtp
policy source address-set "172.21.16.0/24"
policy 50
action deny