XG reporting problems yet again ... Firewall accepting forbidden traffic.

Here is a recent log from our XG firewall: 

Here is a recent log from our XG firewall: 

OK.  Rows with vertical dots means many rows that repeats itself.  For the sake of simplicity, I removed them.  What I understand is that this rule 6 allow ONLY  SMTP (25), and SMTPS (587) traffic.  Why do I see 80, 443, ICMP, 123, etc traffic ???

Hi,

there would appear to be something wrong with that rule because you are seeing outgoing traffic using that rule.

Please post an expanded copy of the rule.

Thank you 

ian

Hello.  It is a reflective rule ...  Bi directional SMTP(s) traffic is normal in this case ...  But all other traffic is not ...

Hi Big_Buck,

it is not the smtp/s traffic outgoing that is the issue it is the udp 123 and 80 and 443 etc.

Ian

This post is clearly just about that. Un-allowed udp 123, 80, 443 and all traffic.  That said, you have an idea how this could happen ???  How can I rely on XG now ???  This is cybernical swiss cheese !!!

I agree and that is why I would like to see the whole rule so that wiser eyes than mine might review it.

Ian

Hi,

tried to reproduce it, but no luck here on 3 appliances.

Appliance is blocking everything except 25 and 587 from Client to WAN.

2018-04-10 10:24:02 0101021 IP 192.168.100.50.51736 > 8.8.8.8.443 : proto TCP: S 1375871700:1375871700(0) win 29200 checksum : 27773
0x0000: 4510 003c 77ea 4000 3f06 8ed7 c0a8 6432 E..<w.@.?.....d2
0x0010: 0808 0808 ca18 01bb 5202 22d4 0000 0000 ........R.".....
0x0020: a002 7210 6c7d 0000 0204 05b4 0402 080a ..r.l}..........
0x0030: 9e9b 5542 0000 0000 0103 0307 ..UB........
Date=2018-04-10 Time=10:24:02 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev=PortB inzone_id=3 outzone_id=2 source_mac=00:0c:29:21:4f:78 dest_mac=00:0c:29:5b:cf:27 l3_protocol=IP source_ip=192.168.100.50 dest_ip=8.8.8.8 l4_protocol=TCP source_port=51736 dest_port=443 fw_rule_id=0 policytype=0 live_userid=1 userid=12 user_gp=8 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=1137654688 masterid=0 status=256 state=1 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

No "allowed Packets" in Logviewer. 

Hello ManBearPig.  Two things.  First the rule you show totals 0 (zero) bytes in and out.  Is that normal ?  Seconds, I filtered logs using "Firewall Rule is 6".  If I do not do so, it becomes very hard to find those errors.