customer configured security to let clients from untrust visit local, but when failed when ping local interfaces on NGFW when ping from clients.
1. Check the routings to see if the packets from clients can reach the IP address which configured on NGFW or not. And all the routings are ok and we can found one-way session on firewall also.
2. Check the security policy to see if the packets from clients be blocked or not.. And find that the policy allow all the packets from untrust to local .
3. Check the configuration under interfaces to see if there are any rules under ports to block this , and found there are no configuration under interfaces. But as we know for NGFW we have security policy based on Zones and interfaces, and the privilege is higher based on interfacews. That means we need to configure commands"undo service-manage enable" under interface to remove the default block rules under interfaces.
4. When configured "undo service-manage enable" under the local interfaces on firewall and problem has been fixed.
We need to configure "undo service-manage enable" under interfaces and keep security policy between zones to permit the traffic or configure "service-manage ping enable" under interfaces to solve this kind of issues.