Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Wagner
Explorer

Cleanup Rule with Reject action

Jump to solution

For some reasons we use Reject as action in the cleanup rule of an internal firewall. We know about the performance impact due to the ICMP packets being sent, but this is okay for us.

Since the cleanup action is not drop, we get the message "Missing cleanup rule - Unmatched traffic will be dropped and not logged". Is there anything to consider (except the performance issue) about having a cleanup rule with action reject? 

The affected firewall is not exposed to the internet, so there is no chance of an external DDoS-attack on this. The given warning does not affect us, since all rejected traffic is logged in our own cleanup rule.

0 Kudos
Reply
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Beyond the performance issue and revealing the existence of the firewall itself, shouldn’t be an issue.

This message shows up anytime the last rule is not any any any drop (or accept).
It’s not considered “best practice” to have the action reject, thus why we flag that.
Obviously no traffic would hit that implied cleanup rule in your case. 

View solution in original post

2 Replies
PhoneBoy
Admin
Admin

Beyond the performance issue and revealing the existence of the firewall itself, shouldn’t be an issue.

This message shows up anytime the last rule is not any any any drop (or accept).
It’s not considered “best practice” to have the action reject, thus why we flag that.
Obviously no traffic would hit that implied cleanup rule in your case. 

View solution in original post

Michael_Wagner
Explorer

Thanks!

0 Kudos
Reply