No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Directly Connected Interfaces Cannot Be Pinged Because the Interzone Policy Denies All Packets by Default

Publication Date:  2019-01-22 Views:  178 Downloads:  0

Issue Description

The firewall works properly. Users can access Internet services but cannot ping through the firewall interface address.

Handling Process

Configure a security policy to permit packets from the Local zone to the Trust zone.

Root Cause

1. Run the display interface brief command to view interface status. All interfaces are normal.

HRP_M[USG9000] display interface brief

*down: administratively down                                                   

^down: standby                                                                  

(l): loopback                                                                  

(s): spoofing                                                                  

(b): BFD down                                                                   

(d): Dampening Suppressed                                                      

InUti/OutUti: input utility/output utility                                     

Interface                   Physical Protocol InUti OutUti   inErrors  outErrors

Aux0/0/1                    down     down        0%     0%          0          0

Eth-Trunk1                  down     down        0%     0%          0          0

Eth-Trunk2                  down     down        0%     0%          0          0

Eth-Trunk3                  down     down        0%     0%          0          0

GigabitEthernet0/0/0        up       up       0.01%  0.01%          0          0

GigabitEthernet1/0/0        down     down        0%     0%          0          0

GigabitEthernet1/0/1        up          up             0%     0%          0          0

GigabitEthernet1/0/2        up          up             0%     0%          0          0

2. Run the display zone command. The interface is in a security zone.

HRP_M[USG9000] display zone



priority is 85      

interface of the zone is (1):      

    add  interface GigabitEthernet1/0/1 

3. Check the route information:

HRP_M[USG9000] display fib    

  Route Entry Count: 1        

Destination/Mask   Nexthop         Flag TimeStamp     Interface       TunnelID       U     t[673627]         GE1/0/1        0x0

4. Check the interzone security policy.

HRP_M[USG9000]dis policy interzone local trust outbound    

policy interzone local trust outbound  

firewall default packet-filter is deny

The output shows that the interzone security policy denies packets.


In USG9000 V300R001, the default interzone security policy denies all packets. You can configure a proper interzone policy during debugging and delete the default policy after debugging.

policy interzone local trust outbound       

policy 0    

description local->trust     

  action permit