Firewalls & Routing

MSP Toolkit
Practical troubleshooting paths for MSP technicians dealing with real-world support failures.

What This Category Covers

Firewall and routing issues should separate link state, NAT, policy, route selection, DNS, and asymmetric traffic. A green tunnel or healthy WAN does not prove application reachability.

Fastest Isolation Path

  • Test by IP and hostname.
  • Check route table, NAT, security policy hits, VPN selectors, logs, and recent changes.
  • Avoid broad allow rules until the blocked layer is identified.

Before You Escalate

Include affected scope, exact errors, timestamps, working comparison, logs checked, changes made, and the current suspected layer. Escalation without this evidence usually turns into another round of basic triage.

Articles in This Path

Pick the closest symptom and work from there.

Application publish rule works by IP not FQDNEdge firewall firmware upgrade resets one custom application ruleFirewall geo-block policy stops vendor access from approved country rangeFirewall HA pair stays synchronized but secondary fails takeover testFirewall HA pair syncs config but not session stateFirewall rules present but traffic still blockedFirewalls & Routing alerts indicate success while end-user experience never changesFirewalls & Routing configuration survives testing but resets after restart or syncFirewalls & Routing connector health looks normal but data stops syncingFirewalls & Routing credential or certificate rotation breaks an existing integrationFirewalls & Routing feature works in web app but fails in desktop clientFirewalls & Routing healthy dashboard status masks a failing production workflowFirewalls & Routing logging shows delivery yet the target workflow never completesFirewalls & Routing new deployment works for pilot group but not for production rolloutFirewalls & Routing policy change applies in admin console but target users never receive itFirewalls & Routing quarantine or protection action triggers but recovery workflow failsFirewalls & Routing workflow succeeds for one account but fails for shared or delegated accessGeo block enabled but approved vendor traffic also blockedInter-VLAN routing works for ping but not for HTTPS sessionsNew ISP circuit installed but outbound policy still uses old WANOutbound SMTP relay blocked because egress policy matches wrong object groupPort forward works externally but internal hairpin access failsPublished app works internally but external redirect loop persistsRoute-based tunnel carries traffic one way only after ISP failoverRouter rebooted and static routes disappearedSite to site tunnel up but only one subnet passes trafficSite-to-site VPN tunnel shows up but traffic returns through wrong routeStatic NAT entry published correctly yet source IP logging shows proxy addressStatic route added but traceroute still follows default pathWeb filter category update blocks line-of-business app download endpoint