This condition occurs because the triggering mechanism is enabled in a global context. When you enable a filter (irrespective of segment), the trigger is installed into Tier 1 (which is where trigger matching occurs). This trigger will then match against traffic from all segments. If the filter is only enabled on segment 1 but it triggers against traffic on segment 2, then the trigger match will be reported as Zoneless.
Example: A profile named "Internet" has filter 0164 (ICMP Echo request) enabled for block + notify, and this profile is only applied to segment 1. Segments 2, 3, and 4 do not have filter 0164 enabled. Still, because the profile “Internet” on segment 1 has filter 0164 enabled, all "pings" detected through all segments will be sent for deep inspection but will only be blocked on segment 1 as that is the only segment with the filter enabled.
View zoneless statistics: To view the zoneless statistics issue, the CLI command “show np rule-stats”. This command will display the zoneless hits recorded by the IPS/TPS device since the last reboot or the last clear np rule-stats.
| # show np rule-stats Filter Flows Success % Total % Success Zoneless % Zoneless 23393 589705 0 38 0.00 0 0 30131 213508 0 14 0.00 0 0 23090 184458 0 12 0.00 0 0 30105 109000 0 7 0.00 0 0 20869 77165 0 5 0.00 0 0 20871 77164 0 5 0.00 0 0 22116 73922 0 4 0.00 0 0 22970 60454 0 3 0.00 0 0 22978 60443 0 3 0.00 0 0 23131 32757 0 2 0.00 0 0 23623 32568 0 2 0.00 0 0 23110 5456 0 0 0.00 0 0 30151 4005 0 0 0.00 0 0 Total of 1520605 flows |