Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 7654 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is this traffic being blocked?

shred

There's a list of entries in my firewall log of traffic being 'Denied' but I'm not sure what's causing it and why it's being blocked.

Here's a screenshot of the firewall log:

Here's the detailed description from one of the entries:

2018-08-24 15:12:59Firewallmessageid="00002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="9" policy_type="1" user="" user_group="" web_policy_id="12" ips_policy_id="12" appfilter_policy_id="10" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1" out_interface="" src_mac="[removed]" src_ip="172.16.16.20" src_country="" dst_ip="66.58.255.17" dst_country="" protocol="UDP" src_port="52177" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

Here's a screenshot of firewall rule 9:

The destination IP addresses appear to be Google's main page. My only guess is because there's no 'Out Interface' defined, so the traffic is being blocked because it's not matching any Zones I have defined in my firewall rules.

Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    Hi Shred,

    part of the answer is there is no output port because the transactions are going out through the http proxy. Also appears to be blocked because the packets have no size, though I am not sure about that bit.

    Ian

  • +1 in reply to rfcat_vk

    Hm, interesting - all of my traffic should be going through the http proxy because I have Scan HTTP enabled and a web policy, so I’m not sure that’s it.

    Thinking about this, it’s UDP going to a destination of port 443... I think this is traffic being blocked because I have ‘Block Google QUIC’ selected in my firewall rules. I’m also guessing since it’s being blocked, it never makes it to the ‘Out Interface’ thus it’s showing up in the logs with the ‘Out Interface’ blank.

Reply
  • +1 in reply to rfcat_vk

    Hm, interesting - all of my traffic should be going through the http proxy because I have Scan HTTP enabled and a web policy, so I’m not sure that’s it.

    Thinking about this, it’s UDP going to a destination of port 443... I think this is traffic being blocked because I have ‘Block Google QUIC’ selected in my firewall rules. I’m also guessing since it’s being blocked, it never makes it to the ‘Out Interface’ thus it’s showing up in the logs with the ‘Out Interface’ blank.

Children