topic Re: Firewall does not block traffic. in Firewall and Security Management

Firewall does not block traffic.

Matlu — Thu, 04 Jan 2024 23:55:51 GMT

Hello,

I have a Cluster R81.10 which has only the following blades enabled

[Expert@SG:0]# enabled_blades
fw av ips anti_bot mon

Client does not want to enable URLF+APPC blades.
Customer does not want to modify the Cluster object behaviour (Currently AntiBot & Anti-Virus are set to "Detect Only")

The only viable option I see to block LAN traffic to the cilkonlay.com domain is to use a per FQDN rule.
The rule has been created, but the GW does not "obey" the rule.

Traffic is still allowed. It is relevant to mention that we are now testing access to the URL from remote user connections (RA VPN).

Does anyone know why traffic is not blocked with the custom FQDN rule?

Regards.

Re: Firewall does not block traffic.

the_rock — Fri, 05 Jan 2024 02:48:55 GMT

Can you send screenshot of the rule?

Re: Firewall does not block traffic.

Matlu — Fri, 05 Jan 2024 03:58:03 GMT

Hey,

This is the TP rule you have defined.

And this is the rule we have created in the Firewall layer, so that it works with FQDN.

We are trying to block traffic to the domain "cilkonlay.com", but the Firewall is ignoring our Firewall rule using FQDN

We are testing with a simple PING from our remote VPN user connections, but we are unable to block traffic to that destination.

Cheers 🙂

Re: Firewall does not block traffic.

the_rock — Fri, 05 Jan 2024 04:09:42 GMT

Bro, we been through this many times lol. You need to check according to policy setting in gateway object for TP policy to be applied. Also, security rule has to have fqdn object as a destination.

Andy

Re: Firewall does not block traffic.

Chris_Atkinson — Fri, 05 Jan 2024 04:53:03 GMT

What do you see on the matched rules tab?

Is the RA VPN configured for hub mode?

Re: Firewall does not block traffic.

Matlu — Fri, 05 Jan 2024 15:40:43 GMT

Hello,

By "Hub Mode" do you mean the following option?

What do you mean by this option "matched rules tab"?

Could you tell me where you see that, please?

Cheers. 🙂

Re: Firewall does not block traffic.

the_rock — Fri, 05 Jan 2024 15:42:28 GMT

I think Chris was referring to log entry, which would have matched rules tab.

Andy

Re: Firewall does not block traffic.

PhoneBoy — Fri, 05 Jan 2024 20:58:44 GMT

Unless "Route All Traffic to Gateway" (i.e. Hub Mode) is enabled, you cannot prevent a Remote Access client from connecting to an externally hosted site.
This is the kind of thing Harmony Endpoint or Quantum SASE should be able to do.

Re: Firewall does not block traffic.

Chris_Atkinson — Sat, 06 Jan 2024 00:08:03 GMT

Correct, since technically all we see is the DNS traffic in the logs above and without hub mode forcing internet traffic via the VPN the Firewall will not be able to block other traffic unless it is in the encryption domain.

Re: Firewall does not block traffic.

the_rock — Mon, 08 Jan 2024 00:44:06 GMT

As @PhoneBoy said, if that option route all gtraffic to gateway is not enabled, then its not really feasable to prevent client to get to external site, since they would technically be using their own ISP for that sort of traffic.

Makes sense?

Best,

Andy