The Global Zone causes a great deal of confusion for some engineers. If you've ever tried to create a Global deny policy with logging to deny all dropped traffic, you have probably noticed that it does not log everything.
"Global" does NOT mean "any zone." The Global zone is a special zone where only VIP's and MIP's reside. All VIP's and MIP's reside in the Global zone. If you create a policy from Untrust->Trust which contains a MIP and then do a "get policy id " on that policy, it will show that the policy's destination zone is actually Global, not Trust. Since the global zone only has MIP's and VIP's in it, it *cannot* be used to log all of the dropped traffic passing through the device.

Remember that the Global zone is only for policies which contain MIP's and VIP's and will not have an effect on anything else. The Global Zone does not mean "all zones.". If you want to put in an explicit deny at the end of your policy for logging, you must create a Global policy. Now, here's where it gets interesting. There is something called the Global policy. The Global policy has nothing to do with global zones. This policy is parsed after zone->zone policies and intrazone policies. By default, there is nothing in it and it allows all traffic. Any rule in the Global policy applies to all source and destination zones. If you type "get policy" it will only show you your regular zone->zone and intrazone rules. If you type "get policy global" it will show you the global policy. To set a catchall deny policy that logs, issue the command:

set policy global any any any deny log

Or, in the Web interface, select Global as the source zone and Global as the destination zone. Apparently this method of creating the Global policy will also work in NSM, however, I was not able to make it work with version 2007.1r1. I will investigate further and make changes to this article as needed.

I should also mention that the content of this article was changed. I was incorrect with some of my assumptions, to which a few people pointed out. Thanks!


Kaynak: Guests cannot see links in the messages. Please register to forum by clicking href="member.php?action=register">here to see links.

gracias a Dios por intiresny

welcome