1: written wrong from src/dst or both
2: service port is incorrect ( wrong port(s) #s )
3: src/dst zone is wrong or does not match the traffic flow
4: traffic is not being received by the policy forwarding engine
5: a higher up policy is trumping the policy ( policy ordering and sequence )
6: the requirement no longer exists ( the project has fizz out or been eliminate )
The junos command "show security policies hit-count less-than 10" could be executed to find all policy that has low or no matches
As you can see a few policies have zero matches. In a SOC, you would investigate and take appropriate action to remediate or eliminate the policy if required.
My general rule ; " if you have a policy-set and a firewall with considerable uptime, and certain policies are showing zero hits, then they are not required or one of the earlier items listed is applicable " .
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment