Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sanjay_S
Advisor

Application and URL Filtering Drops

Hi All,

I see the below drops on Application filtering, the type says "Session" and the destination is an IP so not sure how to troubleshoot this.

Please help to fix this. Thanks in advance.

Time: 2020-06-03T12:23:47Z
Interface Direction: inbound
Interface Name: eth1
Connection Direction: Outgoing
Id: ac1qwe3af-1f3a-0000-asdc-00000001
Id Generated By Indexer:false
First: false
Sequencenum: 22
Hll Key: 56821192462850914
Duration: 300
Last Update Time: 2020-06-03T12:23:47Z
Update Count: 2
Connections: 1
Aggregated Log Count: 1
Creation Time: 2020-06-03T12:23:47Z
Source: 10.10.x.x
Destination: 1.2.1.3
Destination Port: 443
IP Protocol: 6
Service ID: https
Source Zone: Internal
Destination Zone: External
Last Update Time: 2020-06-03T12:28:47Z
Action: Drop
Type: Session
Policy Name: Standard
Policy Management: ABCD_Mgmt_Server
Db Tag: {13405065-D333-3540-964B-2FA7A027B7CB}
Policy Date: 2020-06-03T12:22:01Z
Blade: Firewall
Origin: ABCDEFFW01
Service: TCP/443
Product Family: Access
Logid: 1234
Domain: ABCD_Mgmt_Server
Access Rule Name: Deny Any
Access Rule Number: 18
Policy Rule UID: 8989898-090909-998
Layer Name: Application
Interface: eth1
Description: https Traffic Dropped from 10.10.x.x to 1.2.1.3

6 Replies
Timothy_Hall
Champion
Champion

Have you looked through all the tabs (circled below) on the log card?

tabs.png

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Sanjay_S
Advisor

Hi Timothy,
I dont see the Session Tab at all in the log.
0 Kudos
Sanjay_S
Advisor

Hi Timothy,
After enabling the detailed logging i can see the Session TAB. But i don see much difference between Details and Session TAB. Not seeing more information on this. Any help is much appreciated.

Time: 2020-06-05T16:25:13Z
Interface Direction: inbound
Interface Name: eth1
Connection Direction: Outgoing
Id: ac1103af-1f3a-0000-5eda-71e900000002
Id Generated By Indexer:false
First: false
Sequencenum: 14
Hll Key: 9772743427617257963
Duration: 300
Last Update Time: 2020-06-05T16:29:46Z
Update Count: 3
Connections: 5
Aggregated Log Count: 7
Creation Time: 2020-06-05T16:25:13Z
Source: 10.0.0.1
Destination: 3.1.2.11
Destination Port: 443
IP Protocol: 6
Protocol: HTTPS
Sig Id: 4
Service ID: https
Source Zone: Internal
Destination Zone: External
Packets: 10
Total Bytes: 867
Client Inbound Packets: 6
Client Outbound Packets:4
Server Inbound Packets: 4
Server Outbound Packets:6
Client Inbound Bytes: 683
Client Outbound Bytes: 184
Server Inbound Bytes: 184
Server Outbound Bytes: 683
Last Update Time: 2020-06-05T16:30:13Z
Action: Drop
Type: Session
Policy Name: Standard
Policy Management: ABCD_Mgmt_Server
Db Tag: {0F6DB4CC-76A3-5142-80FB-580A72810BF9}
Policy Date: 2020-06-05T16:23:22Z
Blade: Firewall
Origin: ABCDEFFW01
Service: TCP/443
Product Family: Access
Sent Bytes: 683
Received Bytes: 184
Logid: 352
Domain: ABCD_Mgmt_Server
Access Rule Name: Deny Any
Access Rule Number: 18
Policy Rule UID: 86b4d9db-0f48-44f2-9168-4fb85f74a617
Layer Name: Application
Interface: eth1
Description: https Traffic Dropped from 10.0.0.1 to 3.1.2.11
0 Kudos
Wolfgang
Leader
Leader

@Sanjay_S 

Your shown connection is dropped by rule number 18.

Access Rule Name: Deny Any
Access Rule Number: 18
Policy Rule UID: 86b4d9db-0f48-44f2-9168-4fb85f74a617
Layer Name: Application

You should check this rule, the name indicates the the rule drops all.

Wolfgang

Sanjay_S
Advisor

Thanks for the reply.
As per the customer a particular server needs access only to particular URL and nothing else and hence created a rule at the bottom to block everything except the URLs he want to access and that is the Rule 18.
0 Kudos
Wolfgang
Leader
Leader

Your log shows blocking from firewall blade not applicationcontrol/urlfilter.

please show your rulebase, maybee something wrong configured.

Wolfgang

0 Kudos