Edge traffic dropping when Standard firewall is enabled with VLAN based rules.
Article ID: 383272
Updated On:
Products
Issue/Introduction
Customers may notice that post upgrading their edges, their traffic matching on the stateless firewall may start to drop, this KB is discussing the reason for this and how to resolve it.
Environment
If the customer has VLAN rules configured , if there is a deny rule configured the traffic will be dropped if we do not have Stateful firewall enabled.
Cause
This is an expected behavior of the edge, if stateful firewall is not enabled, the edge will match on the drop rule and apply the rule accordingly, but if stateful firewall is enabled, the stateful firewall will check first packet for the flow, so outgoing packet wont come to firewall match of outbound firewall rule.
Resolution
We had a bug where we had a discrepancy in the stateless firewall behaviour across releases with respect to VLAN based firewall rules, it was discussed under reference 139428.
Fixed Issue 139428: For a customer enterprise where the Edges are deployed with a 4.5.x build and has Standard Firewall rules configured, but disables the Stateful Firewall, when the Edges are upgraded to a 5.x build traffic to some VLANs may be dropped.
On Edge builds of 5.x and later, direction-based rules (for example, one that allows traffic to a specific VLAN) are supported only when Stateful Firewall is enabled. So when the Edge is upgraded, traffic that matches direction-based rules that previously worked on a 4.5.x Edge would be dropped after the upgrade to a 5.x build.
On an enterprise without a fix for this issue, the user would need to enable the Stateful Firewall to ensure that rules with a directional parameter work properly.
It was fixed in the 5.2.4 release, also enabling stateful firewall resolves the issue.
Feedback
