Thanks for the security flow setup info. So, I set your instructions up for my mess:
set security flow traceoptions file flow-log
set security flow traceoptions file files 2
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter inbound source-prefix 10.0.0.249/32
set security flow traceoptions packet-filter inbound destination-prefix 10.0.0.2/32
set security flow traceoptions packet-filter return source-prefix 10.0.102.100/32
set security flow traceoptions packet-filter return destination-prefix 10.0.0.249/32
And here is what "show log flow-log" gives me back:
Jun 4 13:20:13 uranus clear-log[16803]: logfile cleared
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:<10.0.0.249/53862->10.0.0.2/10024;6> matched filter inbound:
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:packet [60] ipid = 61034, @423f961e
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 14, common flag 0x0, mbuf 0x423f9400, rtbl_idx = 0
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: flow process pak fast ifl 69 in_ifp vlan.2
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: vlan.2:10.0.0.249/53862->10.0.0.2/10024, tcp, flag 2 syn
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: find flow: table 0x489225d8, hash 23362(0xffff), sa 10.0.0.249, da 10.0.0.2, sp 53862, dp 10024, proto 6, tok 7
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:check self-traffic on vlan.2, in_tunnel 0x0
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:retcode: 0x1
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:pak_for_self : proto 6, dst port 10024, action 0x0
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: flow_first_create_session
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: flow_first_in_dst_nat: in <VLAN.2>, out <N> dst_adr 10.0.0.2, sp 53862, dp 10024
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: chose interface vlan.2 as incoming nat if.
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:flow_first_rule_dst_xlate: DST xlate: 10.0.0.2(10024) to 10.0.102.100(22), rule/pool id 1/2.
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 10.0.0.249, x_dst_ip 10.0.102.100, in ifp vlan.2, out ifp N/A sp 53862, dp 10024, ip_proto 6, tos 0
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:Doing DESTINATION addr route-lookup
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: routed (x_dst_ip 10.0.102.100) from untrust (vlan.2 in 0) to vlan.102, Next-hop: 10.0.102.100
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone test-zone (0x110,0xd2662728,0x16)
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:Policy lkup: vsys 0 zone(7:untrust) -> zone(10:test-zone) scope:0
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: 10.0.0.249/53862 -> 10.0.102.100/22 proto 6
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: 10.0.0.249/53862 -> 10.0.102.100/22 proto 6
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: app 22, timeout 1800s, curr ageout 20s
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: packet dropped, denied by policy
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: denied by policy default-policy-00(2), dropping pkt
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: packet dropped, policy deny.
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: flow find session returns error.
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)</N></VLAN.2>
From what I can see, here is where it drops the packet:
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:Policy lkup: vsys 0 zone(7:untrust) -> zone(10:test-zone) scope:0
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: 10.0.0.249/53862 -> 10.0.102.100/22 proto 6
Jun 4 13:20:29 13:20:29.032120:CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: 10.0.0.249/53862 -> 10.0.102.100/22 proto 6
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: app 22, timeout 1800s, curr ageout 20s
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: packet dropped, denied by policy
Jun 4 13:20:29 13:20:29.032120:CID-0:RT: denied by policy default-policy-00(2), dropping pkt
So, it goes fine until finding this Unknown zone, whatever it is. And that kicks in a default policy. I thought the dropping was being done at the untrust zone, but I guess I was wrong.