Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Wagner
Participant
Jump to solution

Cleanup Rule with Reject action

For some reasons we use Reject as action in the cleanup rule of an internal firewall. We know about the performance impact due to the ICMP packets being sent, but this is okay for us.

Since the cleanup action is not drop, we get the message "Missing cleanup rule - Unmatched traffic will be dropped and not logged". Is there anything to consider (except the performance issue) about having a cleanup rule with action reject? 

The affected firewall is not exposed to the internet, so there is no chance of an external DDoS-attack on this. The given warning does not affect us, since all rejected traffic is logged in our own cleanup rule.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Beyond the performance issue and revealing the existence of the firewall itself, shouldn’t be an issue.

This message shows up anytime the last rule is not any any any drop (or accept).
It’s not considered “best practice” to have the action reject, thus why we flag that.
Obviously no traffic would hit that implied cleanup rule in your case. 

View solution in original post

2 Replies
PhoneBoy
Admin
Admin

Beyond the performance issue and revealing the existence of the firewall itself, shouldn’t be an issue.

This message shows up anytime the last rule is not any any any drop (or accept).
It’s not considered “best practice” to have the action reject, thus why we flag that.
Obviously no traffic would hit that implied cleanup rule in your case. 

Michael_Wagner
Participant

Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events