Please Help - Firewall - Default action drop not working

IPv4 Firewall “outside_access_in”:

Active on (eth0,IN) (eth0,LOCAL) (eth2,IN) (eth2,LOCAL) (eth3,IN) (eth3,LOCAL)

rule packets bytes action source destination

10 25.05K 3.00M ACCEPT 0.0.0.0/0 0.0.0.0/0
20 8.46K 2.97M ACCEPT 0.0.0.0/0 0.0.0.0/0
21 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
30 29 3.69K ACCEPT 0.0.0.0/0 0.0.0.0/0
40 8.20K 3.21M ACCEPT 0.0.0.0/0 0.0.0.0/0
50 342 17.78K ACCEPT 0.0.0.0/0 0.0.0.0/0
90 30.61K 5.81M ACCEPT 0.0.0.0/0 172.18.233.10/32
100 1.60K 176.02K ACCEPT 0.0.0.0/0 172.18.233.20/32
110 20.59M 2.11G ACCEPT 0.0.0.0/0 0.0.0.0/0
170 0 0 ACCEPT 0.0.0.0/0 172.18.233.45/32
205 0 0 ACCEPT 0.0.0.0/0 172.18.233.34
210 0 0 ACCEPT 0.0.0.0/0 172.18.233.16
220 0 0 ACCEPT 0.0.0.0/0 172.18.233.107/32
230 0 0 ACCEPT 0.0.0.0/0 172.18.233.107/32
240 0 0 ACCEPT 0.0.0.0/0 172.18.233.23/32
250 0 0 ACCEPT 0.0.0.0/0 172.18.233.23/32
255 0 0 ACCEPT 0.0.0.0/0 172.18.233.17/32
260 0 0 ACCEPT 0.0.0.0/0 172.18.233.99/32
282 0 0 ACCEPT 146.88.X.X/32 172.18.233.20/32
290 0 0 ACCEPT 0.0.0.0/0 172.18.233.19/32
292 0 0 ACCEPT 0.0.0.0/0 172.18.233.20/32
300 0 0 ACCEPT 0.0.0.0/0 172.18.233.30/32
310 0 0 ACCEPT 0.0.0.0/0 172.18.233.30/32
10000 0 0 REJECT 0.0.0.0/0 0.0.0.0/0

IPv4 Firewall “outside_access_in”:

Active on (eth0,IN) (eth0,LOCAL) (eth2,IN) (eth2,LOCAL) (eth3,IN) (eth3,LOCAL)

rule packets bytes action source destination

10 28.24K 3.49M ACCEPT 0.0.0.0/0 0.0.0.0/0
20 8.97K 3.15M ACCEPT 0.0.0.0/0 0.0.0.0/0
21 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
30 31 3.91K ACCEPT 0.0.0.0/0 0.0.0.0/0
40 8.99K 3.43M ACCEPT 0.0.0.0/0 0.0.0.0/0
50 352 18.30K ACCEPT 0.0.0.0/0 0.0.0.0/0
90 36.82K 6.19M ACCEPT 0.0.0.0/0 172.18.233.10/32
100 1.71K 195.03K ACCEPT 0.0.0.0/0 172.18.233.20/32
110 23.24M 2.36G ACCEPT 0.0.0.0/0 0.0.0.0/0
170 0 0 ACCEPT 0.0.0.0/0 172.18.233.45/32
205 0 0 ACCEPT 0.0.0.0/0 172.18.233.34
210 0 0 ACCEPT 0.0.0.0/0 172.18.233.16
220 0 0 ACCEPT 0.0.0.0/0 172.18.233.107/32
230 0 0 ACCEPT 0.0.0.0/0 172.18.233.107/32
240 0 0 ACCEPT 0.0.0.0/0 172.18.233.23/32
250 0 0 ACCEPT 0.0.0.0/0 172.18.233.23/32
255 0 0 ACCEPT 0.0.0.0/0 172.18.233.17/32
260 0 0 ACCEPT 0.0.0.0/0 172.18.233.99/32
282 0 0 ACCEPT 146.88.x.x/32 172.18.233.20/32
290 0 0 ACCEPT 0.0.0.0/0 172.18.233.19/32
292 0 0 ACCEPT 0.0.0.0/0 172.18.233.20/32
300 0 0 ACCEPT 0.0.0.0/0 172.18.233.30/32
310 0 0 ACCEPT 0.0.0.0/0 172.18.233.30/32
10000 0 0 DROP 0.0.0.0/0 0.0.0.0/0

IPv4 Firewall “outside_access_out”:

Inactive - Not applied to any interfaces or zones.

rule packets bytes action source destination

10 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
10000 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0

Hi, please show your config, I see some rules FROM 0.0.0.0/0 TO 0.0.0.0/0 with accept.

show configuration commands | match firewall

set firewall name ZFAX_ACCESS_IN default-action ‘drop’
set firewall name ZFAX_ACCESS_IN rule 10 action ‘accept’
set firewall name ZFAX_ACCESS_IN rule 10 description ‘TCP to ZFAX’
set firewall name ZFAX_ACCESS_IN rule 10 destination address ‘172.18.233.14’
set firewall name ZFAX_ACCESS_IN rule 10 destination port ‘25’
set firewall name ZFAX_ACCESS_IN rule 10 protocol ‘tcp’
set firewall name ZFAX_ACCESS_IN rule 10 source group network-group ‘ZFAX-SENDERS’
set firewall name ZFAX_ACCESS_IN rule 20 action ‘accept’
set firewall name ZFAX_ACCESS_IN rule 20 description ‘Allowed IPs to ZFAX’
set firewall name ZFAX_ACCESS_IN rule 20 destination address ‘172.18.233.14’
set firewall name ZFAX_ACCESS_IN rule 20 source group network-group ‘ZFAX-ALLOWED-IPS’
set firewall name ZFAX_ACCESS_IN rule 500 action ‘accept’
set firewall name ZFAX_ACCESS_IN rule 500 state established ‘enable’
set firewall name ZFAX_ACCESS_IN rule 500 state related ‘enable’
set firewall name outside_access_in default-action ‘drop’
set firewall name outside_access_in ‘enable-default-log’
set firewall name outside_access_in rule 10 action ‘accept’
set firewall name outside_access_in rule 10 description ‘allow icmp’
set firewall name outside_access_in rule 10 protocol ‘icmp’
set firewall name outside_access_in rule 20 action ‘accept’
set firewall name outside_access_in rule 20 description ‘Allow Customer Private Network Traffic’
set firewall name outside_access_in rule 20 source group network-group ‘Allowed_Private_Traffic’
set firewall name outside_access_in rule 21 action ‘accept’
set firewall name outside_access_in rule 21 description ‘Allow SSH access from Zthernet’
set firewall name outside_access_in rule 21 destination port ‘22’
set firewall name outside_access_in rule 21 protocol ‘tcp’
set firewall name outside_access_in rule 21 source group address-group ‘Zthernet_SSH_Access’
set firewall name outside_access_in rule 30 action ‘accept’
set firewall name outside_access_in rule 30 description ‘Allow ISAKMP’
set firewall name outside_access_in rule 30 destination port ‘500’
set firewall name outside_access_in rule 30 protocol ‘udp’
set firewall name outside_access_in rule 30 source group address-group ‘Site-to-Site_VPN_Peers’
set firewall name outside_access_in rule 40 action ‘accept’
set firewall name outside_access_in rule 40 description ‘Allow ESP’
set firewall name outside_access_in rule 40 protocol ‘esp’
set firewall name outside_access_in rule 40 source group address-group ‘Site-to-Site_VPN_Peers’
set firewall name outside_access_in rule 50 action ‘accept’
set firewall name outside_access_in rule 50 description ‘Incoming VPN Traffic’
set firewall name outside_access_in rule 50 source group network-group ‘VPN_Traffic’
set firewall name outside_access_in rule 90 action ‘accept’
set firewall name outside_access_in rule 90 description ‘ScreenConnect Ports’
set firewall name outside_access_in rule 90 destination address ‘172.18.233.10/32’
set firewall name outside_access_in rule 90 destination port ‘80,443,8040,8041’
set firewall name outside_access_in rule 90 protocol ‘tcp’
set firewall name outside_access_in rule 100 action ‘accept’
set firewall name outside_access_in rule 100 description ‘Allow TCP PORTS to zDC16’
set firewall name outside_access_in rule 100 destination address ‘172.18.233.20/32’
set firewall name outside_access_in rule 100 destination group port-group ‘SOFTETHER’
set firewall name outside_access_in rule 110 action ‘accept’
set firewall name outside_access_in rule 110 description ‘TCP443 to NMS’
set firewall name outside_access_in rule 170 action ‘accept’
set firewall name outside_access_in rule 170 description ‘Allow HTTPS to SCREENCONNECT’
set firewall name outside_access_in rule 170 destination address ‘172.18.233.45/32’
set firewall name outside_access_in rule 170 destination port ‘443,8041’
set firewall name outside_access_in rule 170 protocol ‘tcp’
set firewall name outside_access_in rule 205 action ‘accept’
set firewall name outside_access_in rule 205 description ‘PRIVATE BACKUP SERVERS to ZCLOUDBACKUP’
set firewall name outside_access_in rule 205 destination address ‘172.18.233.34’
set firewall name outside_access_in rule 205 protocol ‘tcp’
set firewall name outside_access_in rule 205 source group address-group ‘PRIV_IPs_TO_BCKUP_SERVERS’
set firewall name outside_access_in rule 210 action ‘accept’
set firewall name outside_access_in rule 210 description ‘PRIVATE VMWARE SERVERS to ZVM’
set firewall name outside_access_in rule 210 destination address ‘172.18.233.16’
set firewall name outside_access_in rule 210 source group address-group ‘VMWARE_SERVERS’
set firewall name outside_access_in rule 220 action ‘accept’
set firewall name outside_access_in rule 220 description ‘Allow UDP PORTS to LABTECH’
set firewall name outside_access_in rule 220 destination address ‘172.18.233.107/32’
set firewall name outside_access_in rule 220 destination group port-group ‘LABTECH_UDP’
set firewall name outside_access_in rule 220 protocol ‘udp’
set firewall name outside_access_in rule 230 action ‘accept’
set firewall name outside_access_in rule 230 description ‘Allow TCP PORTS to LABTECH’
set firewall name outside_access_in rule 230 destination address ‘172.18.233.107/32’
set firewall name outside_access_in rule 230 destination group port-group ‘LABTECH_TCP’
set firewall name outside_access_in rule 230 protocol ‘tcp’
set firewall name outside_access_in rule 240 action ‘accept’
set firewall name outside_access_in rule 240 description ‘Allow TCP PORTS to ZSP-CMD’
set firewall name outside_access_in rule 240 destination address ‘172.18.233.23/32’
set firewall name outside_access_in rule 240 destination group port-group ‘ZSP-CMD_TCP’
set firewall name outside_access_in rule 240 protocol ‘tcp’
set firewall name outside_access_in rule 250 action ‘accept’
set firewall name outside_access_in rule 250 description ‘Allow ShadowProtect access to zSP-CMD’
set firewall name outside_access_in rule 250 destination address ‘172.18.233.23/32’
set firewall name outside_access_in rule 250 destination port ‘22’
set firewall name outside_access_in rule 250 protocol ‘tcp’
set firewall name outside_access_in rule 250 source group address-group ‘zSP-CMD_Access’
set firewall name outside_access_in rule 255 action ‘accept’
set firewall name outside_access_in rule 255 description ‘Allow TCP443 to ZMANAGE’
set firewall name outside_access_in rule 255 destination address ‘172.18.233.17/32’
set firewall name outside_access_in rule 255 destination port ‘443’
set firewall name outside_access_in rule 255 protocol ‘tcp’
set firewall name outside_access_in rule 260 action ‘accept’
set firewall name outside_access_in rule 260 description ‘Allow ZTHERBOX_TCP to ZTHERBOX’
set firewall name outside_access_in rule 260 destination address ‘172.18.233.99/32’
set firewall name outside_access_in rule 260 destination group port-group ‘ZTHERBOX_TCP’
set firewall name outside_access_in rule 260 protocol ‘tcp’
set firewall name outside_access_in rule 282 action ‘accept’
set firewall name outside_access_in rule 282 description ‘Allow TCP389 to ZDC for TXNeuro-WG DualFactor Auth’
set firewall name outside_access_in rule 282 destination address ‘172.18.233.20/32’
set firewall name outside_access_in rule 282 destination port ‘389,636’
set firewall name outside_access_in rule 282 protocol ‘tcp’
set firewall name outside_access_in rule 282 source address ‘146.88.x.x/32’
set firewall name outside_access_in rule 290 action ‘accept’
set firewall name outside_access_in rule 290 description ‘Allow TCP25 from FuseMail to ZMAIL’
set firewall name outside_access_in rule 290 destination address ‘172.18.233.19/32’
set firewall name outside_access_in rule 290 destination port ‘25’
set firewall name outside_access_in rule 290 protocol ‘tcp’
set firewall name outside_access_in rule 290 source group network-group ‘FuseMail’
set firewall name outside_access_in rule 292 action ‘accept’
set firewall name outside_access_in rule 292 description ‘Allow TCP389 to ZDC’
set firewall name outside_access_in rule 292 destination address ‘172.18.233.20/32’
set firewall name outside_access_in rule 292 destination port ‘389,636’
set firewall name outside_access_in rule 292 protocol ‘tcp’
set firewall name outside_access_in rule 292 source group network-group ‘FuseMail’
set firewall name outside_access_in rule 300 action ‘accept’
set firewall name outside_access_in rule 300 description ‘Allow TCP PORTS to UNIFI16’
set firewall name outside_access_in rule 300 destination address ‘172.18.233.30/32’
set firewall name outside_access_in rule 300 destination group port-group ‘UNIFI_TCP’
set firewall name outside_access_in rule 300 protocol ‘tcp’
set firewall name outside_access_in rule 310 action ‘accept’
set firewall name outside_access_in rule 310 description ‘Allow TCP PORTS to UNIFI16’
set firewall name outside_access_in rule 310 destination address ‘172.18.233.30/32’
set firewall name outside_access_in rule 310 destination group port-group ‘UNIFI_UDP’
set firewall name outside_access_in rule 310 protocol ‘udp’
set firewall name outside_access_out default-action ‘accept’
set firewall name outside_access_out rule 10 action ‘accept’
set firewall name outside_access_out rule 10 description ‘Allow Customer Private Network Traffic’
set firewall name outside_access_out rule 10 destination group network-group ‘Allowed_Private_Traffic’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘disable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 address ‘146.88.x.x/24’
set interfaces ethernet eth0 description ‘Outside’
set interfaces ethernet eth0 duplex ‘auto’
set interfaces ethernet eth0 firewall in name ‘outside_access_in’
set interfaces ethernet eth0 firewall local name ‘outside_access_in’
set interfaces ethernet eth0 hw-id ‘00:50:56:bd:0a:fe’
set interfaces ethernet eth0 smp_affinity ‘auto’
set interfaces ethernet eth0 speed ‘auto’
set interfaces ethernet eth1 address ‘172.18.233.223/24’
set interfaces ethernet eth1 description ‘Inside’
set interfaces ethernet eth1 duplex ‘auto’
set interfaces ethernet eth1 hw-id ‘00:50:56:bd:e5:78’
set interfaces ethernet eth1 policy route ‘SERVERS_USING_OLD_PUBLIC_IPS’
set interfaces ethernet eth1 smp_affinity ‘auto’
set interfaces ethernet eth1 speed ‘auto’
set interfaces ethernet eth2 duplex ‘auto’
set interfaces ethernet eth2 firewall in name ‘outside_access_in’
set interfaces ethernet eth2 firewall local name ‘outside_access_in’
set interfaces ethernet eth2 hw-id ‘00:50:56:bd:01:dd’
set interfaces ethernet eth2 smp_affinity ‘auto’
set interfaces ethernet eth2 speed ‘auto’
set interfaces ethernet eth3 address ‘72.29.X.X/27’
set interfaces ethernet eth3 address ‘72.29.X.X/27’
set interfaces ethernet eth3 address ‘206.123.X.X/27’
set interfaces ethernet eth3 duplex ‘auto’
set interfaces ethernet eth3 firewall in name ‘outside_access_in’
set interfaces ethernet eth3 firewall local name ‘outside_access_in’
set interfaces ethernet eth3 hw-id ‘00:50:56:bd:49:a7’
set interfaces ethernet eth3 smp_affinity ‘auto’
set interfaces ethernet eth3 speed ‘auto’
set interfaces ethernet eth4 duplex ‘auto’
set interfaces ethernet eth4 hw-id ‘00:50:56:bd:16:1f’
set interfaces ethernet eth4 smp_affinity ‘auto’
set interfaces ethernet eth4 speed ‘auto’
set interfaces loopback ‘lo’

You need detailed check your rules. In your config exist rules which don’t have any logic.

set firewall name outside_access_in rule 110 action ‘accept’
set firewall name outside_access_in rule 110 description ‘TCP443 to NMS’

Delete this rule or add logic in this rule. You can see in previous your output (first message) that more packets matches this rules.