Re: Drops on accept rule

Jon_Dyke · ‎2018-08-22

Hi All

I am currently having a very odd issue that I cannot get to the bottom of on pair of R80.10 gateways. I am seeing 'weird drops' on rules which are actually accept rules.

Here is one example:-

I open a browser on 192.168.3.14 and go to Intel.com.

The site opens ok but :-

fw ctl zdebug drop | grep 192.168.3.14

shows:-

;[cpu_0];[fw4_1];fw_log_drop_ex: Packet proto=6 192.168.3.14:50702 -> 34.238.108.124:443 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Site0-Simplified-Policy Secur" rule 3;

Rule 3 is an accept rule!!!!

Any help appreciated.

Thanks

Jon

Maik · ‎2018-08-22

Hey Jon,

Hm indeed, sounds weird.

Can you please verify the currently installed policy on the related security gateway with "fw stat" and check if the install date matches the latest policy changes?

If that's not the case try to push the current policy. Also; what does Smartview Monitor show you in the logging section? If there aren't any logs verify that logging is enabled for the related rule.

Another thing; how exactly does your rule look like?

Regards,

Maik

Maarten_Sjouw · ‎2018-08-22

Seen this in 77.30 a couple of times, every time it was related to IPS.

You will need to open a TAC ticket to see what is really going on.

Regards, Maarten

Timothy_Hall · ‎2018-08-22

In R80.10 the signature dropping this traffic on an accept rule is almost certainly located under "Inspection Settings" and not IPS assuming there is not a separate IPS log entry.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

_Val_ · ‎2018-08-24

No, IPS drop will be shown in a different debug message. It will not be "rulebase drop"

Tomer_Sole · ‎2018-08-22

What does the log card say

Jon_Dyke · ‎2018-08-23

Thanks for the responses. I have the IPS blade on a limited scope at the moment as I am testing so I will try disabling this to see if this makes a difference.

The rule is actually one of the mgmt rules where a few host groups have access to the FW cluster and gateway addresses.

It has nothing to do with with outbound access at all which is why I am confused at to why its even:-

a: this rule is getting involved at all

b: its an accept rules anyway so should not be dropping

There is nothing in the logs BTW - I only see the drops when using fw ctl zdebug

Jon

vikas_mandhan · ‎2018-12-05

Hey Jon, Did you find the root cause of the issue ? we are having the same issue where firewall drop https packet on accept rule.

_Val_ · ‎2018-08-24

FW kernel does not read rule numbers from the policy package. It is only counting rules applied to a particular GW. If you are using something other than "Policy targets" in the "Install On" column, it might be rule other than number 3 in the policy package.

If this is not the case, check the policy name installed on the GW and the date it was installed on. It might be that some rules were inserted or removed afterwards but policy was not re-applied.

For "rulebase drop" there is no chance it is dropped on accept.

Tal_Ben_Avraham · ‎2018-12-10

Please open a a support ticket for the issue

Nir_Shamir · ‎2019-02-27

Hi,

have you resolved this issue ?

I am seeing the same behavior on a customer of mine.

Rule worked on when the cluster was managed by R80.10 SMS . we moved the cluster to an MDS with the same policy and the traffic was dropped by the same rule.

nirm1 · ‎2019-08-08

Hi,

did anyone solved this ? having same issue on my site, r80.10 take 204.

Alan_Long · ‎2019-09-09

I am having same issue after upgrade from R77.30 to R80.10 Jumbo 203, note none of our R80.10 with Jumbo 154 have this issue

Are you a member of CheckMates?

Drops on accept rule