TMS zl Management and Configuration Guide ST.1.1.100430
10-48
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
Traffic Matches Another Access Policy. You may check the log messages
and see that the packet has matched another access policy (not the one you
intended it to match). For example, the following log message indicates that
an access policy has denied, or blocked, certain traffic.
id=fw_access_control ruleid=58 msg=”FW: access policy is deny, packets dropped”
If the traffic is matching a different access policy than the one you intended,
check the following.
■ Check the order of the access policies.
If the traffic is matching an access policy that is processed before the
intended access policy, you will need to change the order of the access
policies. Typically, you should put the more specific access policies first.
■ Ensure that the intended access policy and the matching access
policy are configured correctly.
Check both the intended access policy and the matching access policy
and make sure that the source, destination, and protocol fields are con-
figured correctly.
If you modify an access policy, retest the policy to make sure it is now
working as you want it to.
■ If user authentication is enabled, ensure that it is set up correctly,
and the user authenticates successfully.
Finally, you may want to see if user authentication is enabled. If it is, make
sure it is set up correctly. For example, you must set up the appropriate
access policies and ensure that the user authenticated successfully. Keep
in mind that regular access policies will be processed before access
policies that are related to user groups.
Traffic Matches the Intended Access Policy But Does Not Arrive at Its
Destination. When you check the log messages, you may find that the traffic
matched the intended access policy and was permitted. If the traffic does not
arrive at its destination, check the following:
■ Ensure that the appropriate ALG is enabled or that a port trigger
is configured.
Because some applications open data-transfer connections dynamically
by negotiating IP addresses and service ports, they require special han-
dling by the firewall. For these types of applications, ensure that the
appropriate Application Level Gateway (ALG) is enabled.