The case that the FW is unable to access LAN server after our company firewalls replace the device of peer vendors

Publication Date:  2012-09-25 Views:  150 Downloads:  0
Issue Description
Use our USG2200HSR to replace the FW of peer vendors.
Networking graphic:
internet--------------USG2200HSR----------SW1-------- DMZ domain server group (gateway to USG2200HSR)
                                             |_____________SW2_____trust domain user group (gateway to USG2200HSR)
The replacement appears that there is no access to the part of the servers from user groups, but the access to these servers from the server domain is normal. The network switches are all Layer 2 switches, the server of server domain and the user gateway of user domain are all pointing to the USG2200HSR.
Alarm Information
Handling Process
Check the firewall forward policy, and it is without exception,
Check those can't access server, and find that the server has a lot of ARP attack records. Further examination finding these servers set the gateway IP MAC binding. The gateway MAC address changed after replace the device. Lead to the server to learn about the gateway MAC changes, and considered it is ARP attacks. The fault disappeared after remove the server gateway IP MAC binding, and the user domain can normally access these servers of server domain.
Root Cause
From the user domain can access part of the server in server domain, and could not access to another part of the server, and the servers are in the same network segment and under the same switch. Check the firewall configuration, and the DMZ domain access policy is the same. And it should not appear individual access difference. At the same time, access to these servers from the DMZ domain network is normal. It should be related to the server individual configuration appearing this kind of situation that the gateway can't access.
After replace the device, attention should be paid to some security Settings in the local network server. Update configuration in time.