When troubleshooting issues with the firewalls including why connections were not allowed by a rule, it is sometimes necessary to enable logging of denied traffic. The steps necessary to configure logging of denied traffic are as follows:
- Log into https://panorama.net.berkeley.edu using single sign-on
- From the tabs at the top of the window chose "Policies"
- Under "Security" in the left pane choose “Default Rules”
- Highlight the "interzone-default" rule
- Select "Override" at the bottom of the screen
- When the "Security Policy Rule - predefined" window appears click the "Actions" tab
- Select "Log at Session End"
- Change Log Forwarding to "default"
- Press the "OK" button
- "Commit and Push" the change to the firewalls
At this point, any traffic that is stopped by the firewall, because their is not an allow rule, will be logged to the "Traffic" logs under the "Monitor" tab in Panorama. To undo this setting when you are done:
- Log into https://panorama.net.berkeley.edu using single sign-on
- From the tabs at the top of the window chose "Policies"
- Under "Security" in the left pane choose “Default Rules”
- Highlight the "interzone-default" rule.
- Select "Revert" at the bottom of the screen
- When prompted to confirm the revert click "Yes" Button
- Commit and Push" the change to the firewalls