TMS zl Management and Configuration Guide ST.1.1.100430
10-45
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
does not block it. Then, try to ping the module from the endpoint that is
experiencing the problem. If the endpoint cannot ping the module, check
the network infrastructure.
You may want to open the firewall to allow all traffic from the source zone
to the destination zone—temporarily, of course. Create a temporary
access policy that permits all services and addresses. Assign this access
policy position 1 and disable IPS on it (so that you do not confuse the IPS
dropping packets with a connectivity problem).
To create these access policies using the Web browser interface, see
“Firewall Access Policies” in Chapter 4: “Firewall.”
Remember to remove the temporary access policies after you solve the
problem and are no longer troubleshooting.
■ If you open the firewall and the endpoint cannot ping the module,
check the network infrastructure.
• Is IP routing set up correctly on network devices?
• Is VLAN tagging configured correctly?
• Do any other firewalls between the module and the destination allow
the traffic?
• Is the endpoint’s gateway configured correctly?
Log Message Shows That Traffic Did Not Match Any Access Policy.
Fil-
ter the TMS zl Module’s log by the source IP address (or named object) of the
device that is sending the traffic. If you see the following text in a log message,
the firewall does not have an access policy that permits the traffic. In this case,
the firewall drops the traffic:
id=fw_access_control ruleid=0 msg=”FW: no access policy found, packets
dropped.”
In this case, check the following
■ Ensure that the intended access policy is configured correctly
(including any named objects).
The access policy must explicitly permit the traffic.
■ Ensure that the VLAN is assigned to the right zone.
You should not overlook the possibility that the problem is caused by a
simple configuration error. Check the TMS VLAN settings and make sure
the VLAN is assigned to the right zone.