New policies log as "Internal Policy"

I'm not sure what I'm doing wrong here...

I created a new policy in Policy Manager to direct traffic to an external address to an internal address using SNAT (which I have done many times before).

It's from 'Any' to SNAT (xxx.xxx.xxx.xxx --> yyy.yyy.yyy.yyy) using a custom policy that allows ports 80 and 443. Geolocation is enabled, logging is enabled, and nothing changed in the Advanced tab (Always On, No TM limits, 1-1 NAT and using Dynamic NAT settings). We have many other policies that have been around for a long time just like this.

When first enabled, traffic to xxx.xxx.xxx.xxx would just go to the Firebox login screen where we would log in to download VPN software. I had it grouped with some other similar policies at that point that work. So I moved it to the top of the policy list, then it started forwarding traffic properly.

However, it the logs it's listed as "Internal Policy", not by its Policy Name like all other policies. And, on the Web UI Front Panel Dashboard under Top Policies, the rate is shown but the Name is blank.

This is the first time creating a policy since the upgrade from 12.5.4 to 12.6.2. I'm not sure if something there is causing it, but I don't think I'm doing anything different than I have done in the past. Anyone with any ideas of what I might be doing wrong?

Thanks!

Firebox version: 12.6.2.B628197
WSM version: 12.6.2.B628197

Comments

  • Please post the full log message showing Internal Policy

  • Also, it could be a display bug in V12.6.2 .

  • The new policies look like this. This one in particular is for "cdn.domain.com":

    2020-09-11 08:55:41 Allow 50.204.33.171 207.108.72.173 https/tcp 15186 443 CenturyLink-WAN DMZ-10Gb Allowed 60 54 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="internalIP1" tcp_info="offset 10 S 2135232333 win 4210" Traffic

    ...where a similar (old) policy looks like...

    2020-09-11 09:01:55 Allow 71.8.151.151 207.108.72.156 https/tcp 37492 443 CenturyLink-WAN DMZ-10Gb Allowed 64 51 (titlecdns.domain.com.in-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="internalIP2" tcp_info="offset 11 S 3565491853 win 65535" Traffic

    Thanks!

  • I just set up an SNAT test from External to an internal IP addr, and mine does show the policy name in the allow log entry.
    I used Policy Manager V12.6.2 Update 1 for my T20 running 12.6.2.

    2020-09-11 14:42:22 Allow 174.253.160.117 174.48.xxx.xxx http/tcp 14155 80 External Trust-VLAN Allowed 64 49 (HTTP-snat-test-00) proc_id="firewall" rc="100" msg_id="3000-0148" dst_ip_nat="10.0.1.2" tcp_info="offset 11 S 595980986 win 65535" geo_src="USA" geo_dst="USA" Traffic

    Consider opening a support incident on this.

  • Weird...I rebooted the Firebox over the weekend and now those two new policies seem to be working as expected.

  • well, i have seen very odd results, if the firebox has memory issues or just after a upgrade where policies did not work as expected before a reboot was done.

Sign In to comment.