Hello,
If a HOSTNET resource is put in warning mode, PIM will allow the connection to occur and record it in seaudit. When it is not in warning mode, the connection will be blocked. I was able to confirm this by reproducing the use case on a test server.
Here is the output of seaudit from my test machine where I confirmed the behavior.
08 Feb 2018 14:17:22 W HOST ssh 202 4 testserver.ca.com /usr/sbin/sshd
08 Feb 2018 14:17:27 P LOGIN root 59 2 testserver.ca.com SSH
....
08 Feb 2018 14:18:47 S UPDATE HOSTNET root 305 0 localhost er HOSTNET testing warning-
08 Feb 2018 14:19:00 D HOST ssh 169 3 testserver.ca.com /usr/sbin/sshd
And here is the rule I have on my lab server.
AC> sr HOSTNET *
(localhost)
Data for HOSTNET 'testing'
-----------------------------------------------------------
Warning : Yes
Inet ACLs :
Service Access
* None
Mask/Match : 255.255.255.0/141.242.141.0
Audit mode : All
Owner : root (USER )
Create time : 08-Feb-2018 13:22
Update time : 08-Feb-2018 14:18
Updated by : root (USER )
Can you please confirm how you have the HOSTNET rule set up in selang along with what you see in seaudit when you try and log into the server?
Thanks,
Brian Rehder
CA Support Engineer