topic Re: Connection terminated before detection. Action Passed in Firewall and Security Management

Connection terminated before detection. Action Passed

Netadmin2020 — Fri, 01 Jan 2021 07:59:09 GMT

Hello again,

I have the bellow issue from time to time and I am searching to see what lies behind.

I red for the early drop optimization and for packet out of states.

In my case the traffic always accepted but in some cases with above message.

What are you proposing ?

thanx!

Re: Connection terminated before detection. Action Passed

PhoneBoy — Thu, 31 Dec 2020 20:42:31 GMT

What precise rule is accepting the traffic? This could be expected behavior.

Consider what is required to determine you are tying to access, say: Gmail.
If I open a TCP connection to 192.0.2.1 port 443, the first packet sent is a TCP SYN. Here’s what I know from that:

It’s likely a web-based connection. That said, anything can use port 443, so that’s only an assumption.
It could be a connection to do a Google search, gmail, Google Maps, Google Drive, or any other Google property. Or Office 365 apps. Or something else.
I might be able to do a reverse lookup on the IP to see where it’s going, but that adds latency and provides no guarantee the lookup will show you anything that will help identify the app or website. Or tell you if the content being served up is actually safe.

Bottom line: more information is needed. A few more packets must be let through on the connection before we know exactly what it is.

Meanwhile, the error seems to indicate that the TCP connection terminated before we could figure out precisely what application it was.
Which, given how Application Control works, is something that can (and does) happen.

Re: Connection terminated before detection. Action Passed

Netadmin2020 — Fri, 01 Jan 2021 08:02:58 GMT

Good Morning and I wish a happy new year for all of us!

I am attaching everything requested below:

Re: Connection terminated before detection. Action Passed

PhoneBoy — Fri, 01 Jan 2021 08:15:55 GMT

That basically confirms what I was saying above: not quite enough bytes to classify the traffic under rule 150.1.
However, because you have an App Control rule, some traffic has to be allowed in order to attempt classification.
This is expected behavior.

Re: Connection terminated before detection. Action Passed

Netadmin2020 — Fri, 01 Jan 2021 08:22:35 GMT

This rule was just an example but behavior could be the same for other rules. So you mean that this will not be a problem to the user side?

Re: Connection terminated before detection. Action Passed

PhoneBoy — Fri, 01 Jan 2021 08:23:28 GMT

Shouldn't be since the traffic is being allowed.

Re: Connection terminated before detection. Action Passed

Netadmin2020 — Fri, 01 Jan 2021 08:47:17 GMT

So no further actions are required ?

Re: Connection terminated before detection. Action Passed

Netadmin2020 — Fri, 01 Jan 2021 09:24:40 GMT

As far as I understand some data should pass for the classification to be completed but finally the action may be blocked, if there is a rule with deny action to specific destinations.

Re: Connection terminated before detection. Action Passed

PhoneBoy — Fri, 01 Jan 2021 19:23:42 GMT

If by destination you mean a specific IP, that can be blocked at the TCP SYN.
If the destination is a specific application or a specific action in an application, traffic has to be allowed until such application or action is detected.
At that point, the connection is terminated.