Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

fw monitor - traffic dropped after i

Jump to solution

I have ike (udp/500) traffic coming, and it's getting dropped after i in fw monitor.

Log show that it was being dropped due to CPearlydrop.. changed early drop optimization to 0 so I can see it in the logs, and it's just bypassing my rule and hitting the default drop any.

[vs_0][fw_33] eth1-01:i[492]: x.x.x.x  -> y.y.y.y (UDP) len=492 id=30892
UDP: 500 -> 500
[vs_0][fw_3] eth1-01:i[492]: x.x.x.x -> y.y.y.y (UDP) len=492 id=31502
UDP: 500 -> 500

my rule, i'm allowing x.x.x.x to y.y.y.y (which is static NAT), with IKE, gIKE, udp/500, udp/4500 all allowed.

Can't figure out what I'm missing here.

 

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Unified Policy may contain filter criteria that cannot be resolved on a connection's first packet, such as Application or Data. Therefore, on some connections the final rule match decision is reached only on the following data packets.

However, the Rule Base may decide to block the connection at an early stage without a final rule decision, if all potential rules of the layer for a specific connection have a Drop or Reject action. This drop will issue a log with Rule Name "CP_Early_Drop" and hits will be counted for all the potential rules.

The purpose of this optimization is to improve security by dropping the connection as soon as possible. 
However, if you want to get full visibility on the exact rules that dropped the connection, you can turn off the optimization.

Do the following to change the global parameter permanently:

  1. Connect to the command line on the Security Gateway.

  2. Login to the Expert mode.

  3. Set the value of the kernel parameter up_early_drop_optimization to 0 permanently:

    1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

      [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf
    2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

      [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf
    3. Add the following line (spaces and comments are not allowed):

      up_early_drop_optimization=0
    4. Save the changes and exit from Vi editor.

    5. Check the content of the $FWDIR/boot/modules/fwkern.conf file:

      [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf
    6. Reboot the Security Gateway.

  4. In SmartConsole, install the policy.

  5. Make sure that the new value was set:

    [Expert@HostName]# fw ctl get int up_early_drop_optimization

View solution in original post

Tags (1)
2 Replies
Highlighted

Unified Policy may contain filter criteria that cannot be resolved on a connection's first packet, such as Application or Data. Therefore, on some connections the final rule match decision is reached only on the following data packets.

However, the Rule Base may decide to block the connection at an early stage without a final rule decision, if all potential rules of the layer for a specific connection have a Drop or Reject action. This drop will issue a log with Rule Name "CP_Early_Drop" and hits will be counted for all the potential rules.

The purpose of this optimization is to improve security by dropping the connection as soon as possible. 
However, if you want to get full visibility on the exact rules that dropped the connection, you can turn off the optimization.

Do the following to change the global parameter permanently:

  1. Connect to the command line on the Security Gateway.

  2. Login to the Expert mode.

  3. Set the value of the kernel parameter up_early_drop_optimization to 0 permanently:

    1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

      [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf
    2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

      [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf
    3. Add the following line (spaces and comments are not allowed):

      up_early_drop_optimization=0
    4. Save the changes and exit from Vi editor.

    5. Check the content of the $FWDIR/boot/modules/fwkern.conf file:

      [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf
    6. Reboot the Security Gateway.

  4. In SmartConsole, install the policy.

  5. Make sure that the new value was set:

    [Expert@HostName]# fw ctl get int up_early_drop_optimization

View solution in original post

Tags (1)
Highlighted
0 Kudos