Firewall Rule Not Recognizing Traffic

Question

Good evening, 
 I was wondering if anyone had any thoughts here ... 
 XG230 HA pair running 18.0.4 
 Wireless network in a custom zone of type DMZ - called Devices 192.168.124.0/24 
 Wired LAN network in LAN zone - 192.168.1.0/24 
 Firewall rules to allow Devices to LAN, any any any and LAN to Devices any any any. 
 I can ping from 192.168.124.158 (Devices) to 192.168.1.21 (LAN) 
 I cannot ping from 192.168.1.21 (LAN) to 192.168.124.158 (DEVICES) 
 The firewall rule from LAN to Devices is at the top of the list and is showing no traffic hits. 
 For some reason the rule is not recognizing traffic as matching the LAN to Devices rule. 
 If I change the LAN to Devices rule to ANY to Devices, it still doesn't log any traffic. 
 This makes me think it doesn't recognize Devices as a legit zone? I would really appreciate any pointer you guys might throw my way! 
 
 2021-05-13 18:54:11 0101021 IP 192.168.1.21. > 192.168.124.158. :proto ICMP: echo request seq 2000 0x0000: 4500 003c aa30 0000 7e01 938c c0a8 0115 E..<.0..~....... 0x0010: c0a8 7c9e 0800 4582 000a 07d0 6162 6364 ..|...E.....abcd 0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst 0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi Date=2021-05-13 Time=18:54:11 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=wlnet1 inzone_id=1 outzone_id=0 source_mac=00:18:0a:4f:00:01 dest_mac=00:e0:20:11:0a:34 bridge_name= l3_protocol=IPv4 source_ip=192.168.1.21 dest_ip=192.168.124.158 l4_protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=1370249728 masterid=0 status=256 state=0, flag0=755916341248 flags1=34359738368 pbdid_dir0=0 pbrid_dir1=0

BrentMagnant · Answer

Thanks for the ideas... I appreciate the time. 
 I was able to schedule an HA failover with the client. I rebooted the active FW and let the passive device take over. As soon as it did, everything started working. So I don't think it was a config issue. 
 The LAN to Device rule started logging traffic as soon as the HA failed over with no changes on my part.

Firewall Rule Not Recognizing Traffic

Top Replies