Troubleshoot traffic that is blocked even though rules allow ANY Service

The possible causes and solutions depend on the engine role when a connection that you want to allow is stopped.

In IPS policies, Access rules allow all connections by default. If a connection you want to allow is stopped because of an IPS Access rule, your Access rules contain a specific rule that stops these connections.

In Firewall and Layer 2 Firewall Access rules, even if you set the Source, Destination, and Service to ANY and set the rule to allow the traffic, certain connections might still be discarded.

For more details about the product and how to configure features, click Help or press F1.

Steps

Use a Protocol Agent to allow connections with a protocol that assigns ports dynamically.
The Protocol Agent enables the Firewall to track the assigned port.
Make sure that there is a matching rule with Continue as the action further up in the rule table with a Service in which the correct Protocol Agent is used if you want to use a Protocol Agent in a rule with ANY as the Service.
Add your own rules as necessary.
The Firewall Template contains a rule that does uses a Protocol Agent for some, but not all protocols that use a dynamic port assignment.
If you must allow connections in your network for some application that implements TCP incorrectly, you might need to adjust or even disable connection tracking in the Access rules for those connections.
Connections that violate the standard TCP connection sequence are dropped due to connection tracking. We recommend that you disable logging for rules that have connection tracking set to off, because such rules create a log entry for each packet.