Re: [nn] Logging 'deny all' and forcing policy to bottom

To:	Joe Loiacono <jloiacon@csc.com>
Subject:	Re: [nn] Logging 'deny all' and forcing policy to bottom
From:	dh <rugby@secureyournet.ca>
Date:	Tue, 12 Dec 2006 11:39:36 -0500
Cc:	Netscreen Mailing List <nn@qorbit.net>
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ns-list2@consult.net
Delivered-to:	nn@qorbit.net
In-reply-to:	<OF73C916F9.353A120E-ON85257242.004E7A82-85257242.004F016D@csc.com>
List-archive:	<http://www.qorbit.net/nn>
List-help:	<mailto:nn-request@qorbit.net?subject=help>
List-id:	"Netscreen mailing list for netscreen admins." <nn.qorbit.net>
List-post:	<mailto:nn@qorbit.net>
List-subscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=subscribe>
List-unsubscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=unsubscribe>
References:	<OF73C916F9.353A120E-ON85257242.004E7A82-85257242.004F016D@csc.com>
Sender:	nn-bounces@qorbit.net
User-agent:	Thunderbird 1.5.0.8 (Windows/20061025)

Create a Global Zone to Global Zone Any Any Any Deny Log rule. Global rules are processed after individual zone-to-zone rules and would therefore only trigger if all other possible polices failed to match.

/dh

Joe Loiacono wrote:

The only way to log traffic that gets caught by the 'deny all' implicit rule, is to make it an explicit rule with the 'log' option. However, once you do this, you must reorder your policies every time you add a new one to force the explicit 'deny all' to the bottom of the list.

The KB says it can't be done, but I thought I had seen someone show how to force this to the bottom in an earlier list email, but I can't find it now. :-(

Anyone know how to do this?

Thanks,

Joe

Joe Loiacono/CIV/CSC@CSC
Sent by: nn-bounces@qorbit.net
12/11/2006 04:51 PM

To
"Netscreen Mailing List" <nn@qorbit.net>

cc

Subject
[nn] NS25 crashes on license upgrade

Had a NetScreen 25 crash during an upgrade of license keys from Basic to Advanced. Has this happened to anyone before? KB has nothing.

Thanks,

Joe_______________________________________________ nn mailing list nn@qorbit.net http://qorbit.net/mailman/listinfo/nn
_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn
  

_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

<Prev in Thread]	Current Thread	[Next in Thread>
[nn] Can't add 101st MIP..., Binand Sethumadhavan Re: [nn] Can't add 101st MIP..., Ernest Lau [nn] NS25 crashes on license upgrade, Joe Loiacono Re: [nn] NS25 crashes on license upgrade, Jost Menke [nn] Logging 'deny all' and forcing policy to bottom, Joe Loiacono Re: [nn] Logging 'deny all' and forcing policy to bottom, dh <= Re: [nn] Logging 'deny all' and forcing policy to bottom, Joe Loiacono

Previous by Date:	[nn] creating a tunnel betwwen ns 5gt and a cisco router, damola
Next by Date:	Re: [nn] OSCP HTTP Request, fw@doehni.dyndns.org
Previous by Thread:	[nn] Logging 'deny all' and forcing policy to bottom, Joe Loiacono
Next by Thread:	Re: [nn] Logging 'deny all' and forcing policy to bottom, Joe Loiacono
Indexes:	[Date] [Thread] [Top] [All Lists]