You want to configure a ScreenOS global firewall policy that applies to all security zones and logs the matched traffic.
You can configure global policies using the
set policy global command that does not reference any source or destination security zones. The following code is a sample global policy that permits and logs ICMP ping traffic from and to all security zones on a ScreenOS gateway:
set policy global any any ping permit logpolicy id = 17 Internal_fw->
As reviewed in greater detail in the following Discussion section, global policies are processed only for packets that have not already been matched by any intra-zone or inter-zone policies.
As discussed in this chapter's Introduction section, global policies are processed in ScreenOS after all the intra-zone and inter-zone policies. Furthermore, it should be noted that when ScreenOS goes through a policy list, it does not process policies any further as soon as a match is found. Hence, if your inter-zone or intra-zone policies have an explicit Source-Any to Destination-Any deny/reject policy at the end of the policy set, the global policies will never be reached in the ScreenOS processing order.
When you view your existing policy set using the
get policy command, the output does not list the global policies. To list the global policies, you need to use the
get policy all or
get policy global command:
get policy allTotal regular policies ...