Re: [nn] Logging 'deny all' and forcing policy to bottom

To:	Netscreen Mailing List <nn@qorbit.net>, <binand@gmail.com>
Subject:	Re: [nn] Logging 'deny all' and forcing policy to bottom
From:	Joe Loiacono <jloiacon@csc.com>
Date:	Wed, 13 Dec 2006 07:31:53 -0500
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ns-list2@consult.net
Delivered-to:	nn@qorbit.net
In-reply-to:	<457EDB48.5050601@secureyournet.ca>
List-archive:	<http://www.qorbit.net/nn>
List-help:	<mailto:nn-request@qorbit.net?subject=help>
List-id:	"Netscreen mailing list for netscreen admins." <nn.qorbit.net>
List-post:	<mailto:nn@qorbit.net>
List-subscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=subscribe>
List-unsubscribe:	<http://qorbit.net/mailman/listinfo/nn>, <mailto:nn-request@qorbit.net?subject=unsubscribe>
Sender:	nn-bounces@qorbit.net

Thanks guys,

For clarification and for others:

I got thrown off when I did a 'get config' and it showed my 'global global deny all' statement as policy number 78, but I had a bunch of policies with higher numbers, and I worried that these were being blocked. However, when I issue a 'get policy' the 'global deny' does not show up (it does when I issue a 'get policy global').

So - I take this to mean it is working properly.

Thanks,

Joe

dh <rugby@secureyournet.ca> wrote on 12/12/2006 11:39:36 AM: > Create a Global Zone to Global Zone Any Any Any Deny Log rule. > Global rules are processed after individual zone-to-zone rules and > would therefore only trigger if all other possible polices failed to match. > > > /dh > > > Joe Loiacono wrote:
> > The only way to log traffic that gets caught by the 'deny all' > implicit rule, is to make it an explicit rule with the 'log' option. > However, once you do this, you must reorder your policies every time > you add a new one to force the explicit 'deny all' to the bottom of the list. > > The KB says it can't be done, but I thought I had seen someone show > how to force this to the bottom in an earlier list email, but I > can't find it now. :-( > > Anyone know how to do this? > > Thanks, > > Joe > >
> > Joe Loiacono/CIV/CSC@CSC > Sent by: nn-bounces@qorbit.net
> 12/11/2006 04:51 PM
> > To
> > "Netscreen Mailing List" <nn@qorbit.net>
> > cc
> > Subject
> > [nn] NS25 crashes on license upgrade
> > > > > > Had a NetScreen 25 crash during an upgrade of license keys from > Basic to Advanced. Has this happened to anyone before? KB has nothing. > > Thanks, > > Joe_______________________________________________ > nn mailing list > nn@qorbit.net > http://qorbit.net/mailman/listinfo/nn
> > > _______________________________________________ > nn mailing list > nn@qorbit.net > http://qorbit.net/mailman/listinfo/nn >

_______________________________________________
nn mailing list
nn@qorbit.net
http://qorbit.net/mailman/listinfo/nn

<Prev in Thread]	Current Thread	[Next in Thread>
[nn] Can't add 101st MIP..., Binand Sethumadhavan Re: [nn] Can't add 101st MIP..., Ernest Lau [nn] NS25 crashes on license upgrade, Joe Loiacono Re: [nn] NS25 crashes on license upgrade, Jost Menke [nn] Logging 'deny all' and forcing policy to bottom, Joe Loiacono Re: [nn] Logging 'deny all' and forcing policy to bottom, dh Re: [nn] Logging 'deny all' and forcing policy to bottom, Joe Loiacono <=

Previous by Date:	Re: [nn] OSCP HTTP Request, fw@doehni.dyndns.org
Next by Date:	[nn] IPSEC & Vista.., Maarten van der Hoek
Previous by Thread:	Re: [nn] Logging 'deny all' and forcing policy to bottom, dh
Next by Thread:	[nn] creating a tunnel betwwen ns 5gt and a cisco router, damola
Indexes:	[Date] [Thread] [Top] [All Lists]