[AF] A situation where the application control Policies does not take effect

Problem Description

Configured Services server to allow application control, and the Policies is at the top
Deployment: Local is deployed Layer 2 between the egress and the Critical. There is also a DMZ Layer 3 Zones next to it. The gateway of the intranet DMZ Zones server points to the intranet Interfaces IP of the egress load device, as shown in the figure (DMZ is a Layer 3 Zones on the Local)

Internet–Export Load—-AF Layer 2—Critical
                                     |
DMZ

The DMZ Zones server accesses the external network and does not match the corresponding application control Policies

Warning Info

The application control Policies ineffective if the number of matches is 0, and the policy of enabling Internet access Zones Policies ineffective.

325705cd81fa0979a0.png (8.17 KB)

Root cause

Policies selecting Zones the application control policy, the source and destination Zones types do not correspond correctly. The application control Policies principle is: Layer 3 to the Layer 3, and Layer 2 to the Layer 2.

solution

Change the DMZ area of the intranet layer 3 to the Layer 2, and configure the IP Interfaces of the intranet interface corresponding to the original DMZ Zones on the newly added VLAN Interfaces

Original Link

https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=695&isOpen=true