Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Noah_T
Participant

Same traffic being accepted and dropped

I'm experiencing an issue where same traffic(same source, source port, destination and destination port) is being accepted by a rule and also being dropped by cleanup rule.

 

Accept traffic settings:

Accepted by rule 121 with TCP Service Object - "MS-SQL-Server" (Protocol set to None and Match by Port 1433, Override global domain settings is chosen in 'Advanced' Tab). We have NAT happening on this traffic

Source:10.208.34.143 Destination:10.247.158.45 Service: MS-SQL-Server . This is being NAtted to SNAT:160.xx.xx.xx DNAT: 10.154.204.xx

We have static route on the firewall for both original destination and Natted destination as below

10.247.158.0/24 to x.x.x.x

10.154.204.0/24 also to x.x.x.x

 

The traffic is being accepted and natted ( we see this on CLM logs) but right below that we also see traffic being dropped. The only difference is accept traffic is on 'Mgmt' interface and dropped traffic is on another interface 'eth3'. 

The gateways are on R80.20

Any thoughts on why this is happening ? 

 

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion

Please provide the redacted log cards for both an accepted connection and one that is denied by the cleanup rule, ideally for the same connection if possible (indicated by an identical source port outbound and identical destination port inbound). 

If the connection being denied on the cleanup rule is some kind of "pinholed" connection with a dynamically allocated port (such as FTP data connections), that would generally indicate the firewall is not aware of or is missing the dynamic port allocation and therefore denying it as a "new" connection on the cleanup rule.

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
0 Kudos
Noah_T
Participant

Hi Timothy, 

Thank you for the reply.

Surprisingly the issue is resolved without anyone doing any correction. 

Unfortunately I cannot share the log cards due to DLP issues. I believe Firewall was treating the same packet in two ways 

1) It was allowed by a rule then nat being performed on it and routed to external interface(eth3)

2)the same packet was routed to external interface(eth3) and this packet was coming back on eth3 interface(as per the routing on the next hop router) and being dropped by the firewall hitting the cleanup rule.

 

 

 

0 Kudos
Noah_T
Participant

Uploaded the log records. Thanks ! 

 

Currently the issue is resolved, not sure how !!

0 Kudos