topic Re: Dropped or not in General Topics

Dropped or not

cezar_varlan1 — Mon, 11 Mar 2019 08:27:10 GMT

Hello,

I have come across a strange situation where my packets are both Accepted and Dropped at the same time. Can anyone help me determine what is the real outcome ?

Firewall Rule:

*Picture was unclear.Updated to clearly see policy has Drop*:

Output of the log:

Description of the event:

https Traffic Accepted from <USER NAME> (<username>)(<internal_ip>) to 2.17.117.112 due to TCP segment out of maximum allowed sequence. Packet dropped.

Knowing that i found the packet that is simultaneously both accepted and dropped - I will just leave this here for reference:

Schrödinger's cat - Wikipedia

Re: Dropped or not

G_W_Albrecht — Mon, 11 Mar 2019 09:52:10 GMT

What i can see is that your Access Rule "Block Crypto Miners" does accept the packet, then it is dropped by IPS Sanity checks ! Maybe sk122072: 'TCP out of Sequence' logs in SmartView Tracker can help ?

Re: Dropped or not

Gaurav_Pandya — Mon, 11 Mar 2019 10:23:59 GMT

Hi,

It is accepted by policy but it is dropped by IPS. Are you getting this message continuously or for specific time. One of the reason is high memory usage as well.

SK66576 & SK114529 will be helpful.

Re: Dropped or not

cezar_varlan1 — Mon, 11 Mar 2019 11:08:24 GMT

My mistake - the rule is configured to DROP but this was not clear in the first picture. I corrected.

Yet the logs say Rule 18, descriptions says Accepted. Protection says Dropped.

Re: Dropped or not

cezar_varlan1 — Mon, 11 Mar 2019 11:10:06 GMT

Why is it accepted by the policy when the action on the rule is Drop?

Re: Dropped or not

G_W_Albrecht — Mon, 11 Mar 2019 11:59:06 GMT

The main thing is that it is dropped by IPS - i would start from there ...

Re: Dropped or not

Gaurav_Pandya — Mon, 11 Mar 2019 12:27:55 GMT

Hi,

Is this for any specific traffic?

Please run zdebug and fw monitor for more troubleshooting

Re: Dropped or not

cezar_varlan1 — Mon, 11 Mar 2019 12:58:58 GMT

My issue is that the firewall log for rule 18 says "Accepted"

I can agree that apps can only be detected and classified ONLY after allowing the connection to be initiated.

Does this mean that the unified policy is misleading? Yes

Does this mean that this traffic is passed through the next firewall rules? I don't know

My customer is asking me to advise on how to build the ruleset considering that his rules are "avoided". I would agree that if there is an explicit drop, i would much appreciate not seeing any kind of log saying it was allowed as this creates confusion. Especially If the Firewall is claiming my rule 18 matched this traffic -

The only supposition i have is that because it's somehow fragmented it cannot be inspected... but still it is accepted and on a rule with Coinhive.

The other perculiar thing is that on the same rule i have both this example https traffic and SMTP traffic.

Re: Dropped or not

G_W_Albrecht — Mon, 11 Mar 2019 13:05:04 GMT

I would involve TAC - although i would suggest that an Accept here just means that this rule did not match, as then it would drop the packet instead. The message is from IPS, so that is the key here !

Re: Dropped or not

cezar_varlan1 — Mon, 11 Mar 2019 20:33:19 GMT

Exactly the same suggestion was given by TAC. After reading the SKs i can see that setting this protection to Detect makes it be bypassed by other IPS protections.

However my issue is with the log stating Accept. Is this passed to the next rule or simply allowed?

Re: Dropped or not

cezar_varlan1 — Thu, 14 Mar 2019 08:54:40 GMT

1. I am updating with more information. I have tested this signature on different setup, everything works. This means that the app "Coinhive" itself has no issue.

2. The rule on this particular SMS/vSEC Gateway has been deleted, policy installed. Re-created, policy installed again. The result is similar:

Traffic is dropped as intended: ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 10.10.202.44:50534 -> 86.105.182.5:443 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 18;
There is no log of this happening. Looked historically and things went bad on the 3rd of March when i have the last Application Control log working for this:
The bogus logs for SMTP Bypass and Accepted HTTPS dropped by Inspection were there all along.
Example (rule numbe changes as i moved it around):
For the SMTP bypass support claims it is sourced by sk120964. However i cannot get my head around why would this SMTP bypass log trail around my rule 18 every single time i create or delete it. Why doesn't it pop on rule 10 or 11 or 50?
For HTTPS with Accept message and Dropped Description there is no explanation yet. I have checked and inspection settings according to SK66576 & SK114529 , that have been brought into discussion earlier are set to Drop and Log.
There is no proper Inspection Setting Log and regarding this or i don;t yet know where i would see inspection setting logs, as they seem more part of the firewall rather than IPS starting R80.

Unrelated Note: The new interface for Check Mates makes editing a complicated mess. It was much better before. Hope it was worth it. I just noticed while trying to make this post. You can't even paste pictures anymore. Let alone "quote" text.

Makes me think it now looks awfully aligned with the new Support Interface. Not everything is supposed to be a feed, sometimes i would like to be able to track my cases by just scrolling down, not having replies in my SR's arranged by "relevance" and "likes". Somebody actually hired some PR/Marketing guys to keep shifting interfaces around?!

Re: Dropped or not

Jerry — Thu, 14 Mar 2019 09:10:24 GMT

great post I like it a lot ! 🙂

Re: Dropped or not

PhoneBoy — Fri, 15 Mar 2019 04:28:26 GMT

There should be a "quote" button on the right side of the toolbar. I'll see if we can enable pasting photos into the editor as, I agree, that is quite useful 🙂