Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 2520 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block CFM updates and XG updates on a Backup Connection

MarioGonzalez

Hello, 

 

In our scenario there is an XG with a Primary Internet and a Backup Internet (Using an external LTE router on Port 3) connections configured on WAN link manager.

 

We are trying to block all traffic except to a credit card provider when on the Backup LTE connection since is metered. Seems like we still have some traffic going thru the LTE Backup connection that we suspect is from CFM or patterns update to the XG (Unless you see any error on our configuration that is allowing more LAN traffic). Any idea on how to allow  SOPHOS CFM and updates only when/thru the primary Internet connection is up. 

 

Configuration 

   (1st Rule) Credit Card Firewall Rule:

         Source Zone: LAN                    Source Networks: Any 

          Destination Zone: WAN           Destination Networks: Credit Card Company                             Services: Any

    Web Policy: Credit Card Policy

         Policy:   Allow: Custom Category of the Credit Card Company
                      Default Action: Deny

    Application Control: Deny All

    Primary Gateway: WAN Link Load Balance

 

   (2nd Rule) Office to Internet Firewall Rule:

         Source Zone: LAN                    Source Networks: Any 

          Destination Zone: WAN           Destination Networks: Any                             Services: Any

    Web Policy: Office Policy

         Policy:   Allow: Some categories allowed
                      Default Action: Deny

    Application Control: Deny All

    Primary Gateway: Primary_Connection

 

All Web - Exceptions are disabled. 

 

Thank you 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to MarioGonzalez

    Could be some kind of "old connections". Can you reboot this appliance? And can you "double check" via tcpdump on Shell? 

  • 0 in reply to LuCar Toni

    Appliance restarted

     

    Some of the traffic captured on TCPDUMP on the Backup Interface:


    22:25:20.720664 Port3, IN: IP 52.8.93.65.443 > 10.10.4.8.40964: Flags [.], ack 12, win 219, length 0
    22:25:24.969517 Port3, OUT: IP 10.10.4.8.26101 > 10.10.4.1.53: 13986+ A? dns.msftncsi.com. (34)
    22:25:25.077943 Port3, IN: IP 10.10.4.1.53 > 10.10.4.8.26101: 13986 1/0/0 A[|domain]
    22:25:26.577693 Port3, OUT: IP 10.10.4.8 > 10.10.4.1: ICMP echo request, id 1, seq 1, length 192
    22:25:26.578233 Port3, IN: IP 10.10.4.1 > 10.10.4.8: ICMP echo reply, id 1, seq 1, length 192
    22:25:26.578444 Port3, OUT: IP 10.10.4.8 > 10.10.4.1: ICMP echo request, id 1, seq 2, length 192
    22:25:26.578969 Port3, IN: IP 10.10.4.1 > 10.10.4.8: ICMP echo reply, id 1, seq 2, length 192
    22:25:30.711537 Port3, IN: ARP, Request who-has 10.10.4.8 tell 10.10.4.1, length 46
    22:25:30.711567 Port3, OUT: ARP, Reply 10.10.4.8 is-at 00:0d:48:54:50:4f, length 28
    22:25:32.657084 Port3, OUT: IP 10.10.4.8.50308 > 10.10.4.1.53: 13435+ A? docs.google.com. (33)
    22:25:32.761700 Port3, OUT: IP 10.10.4.8.40435 > 10.10.4.1.53: 18191+ A? ssl.gstatic.com. (33)
    22:25:32.768534 Port3, IN: IP 10.10.4.1.53 > 10.10.4.8.50308: 13435 1/0/0 A[|domain]
    22:25:32.851179 Port3, IN: IP 10.10.4.1.53 > 10.10.4.8.40435: 18191 1/0/0 A[|domain]
    22:25:35.685597 Port3, OUT: IP 10.10.4.8.40964 > 52.8.93.65.443: Flags [P.], ack 1, win 305, length 6
    22:26:17.702057 Port3, OUT: IP 10.10.4.8.58268 > 10.10.4.1.53: 8935+ A? atsv2-fp-shed.wg1.b.yahoo.com. (47)
    22:26:17.702174 Port3, OUT: IP 10.10.4.8.36601 > 10.10.4.1.53: 2107+ A? geo.yahoo.com. (31)
    22:26:17.702306 Port3, OUT: IP 10.10.4.8.29020 > 10.10.4.1.53: 37253+ A? e1879.e7.akamaiedge.net. (41)
    22:26:17.905052 Port3, IN: IP 10.10.4.1.53 > 10.10.4.8.58268: 8935 4/0/0[|domain]
    22:26:17.905628 Port3, IN: IP 10.10.4.1.53 > 10.10.4.8.36601: 2107 2/0/0 CNAME[|domain]
    22:26:17.905794 Port3, OUT: IP 10.10.4.8.24049 > 10.10.4.1.53: 5551+[|domain]
    22:26:17.906565 Port3, IN: IP 10.10.4.1.53 > 10.10.4.8.24049: 5551[|domain]
    22:26:17.908711 Port3, IN: IP 10.10.4.1.53 > 10.10.4.8.29020: 37253 1/0/0 (57)
    22:26:17.910507 Port3, OUT: IP 10.10.4.8.7771 > 10.10.4.1.53: 19010+ A? s.gycs.b.yahoodns.net. (39)
    22:26:17.914511 Port3, OUT: IP 10.10.4.8.3810 > 10.10.4.1.53: 24725+ A? s3.yimg.com. (29)
    22:26:17.915438 Port3, OUT: IP 10.10.4.8.22856 > 10.10.4.1.53: 7453+ A? e13136.g.akamaiedge.net. (41)
    22:26:18.011458 Port3, IN: IP 10.10.4.1.53 > 10.10.4.8.7771: 19010 2/0/0[|domain]
    22:26:18.013589 Port3, OUT: IP 10.10.4.8.29992 > 10.10.4.1.53: 17037+[|domain]

  • 0 in reply to MarioGonzalez

    Can you only dump for SYN packets to see, whether XG or Outbound build up those connections? 

     

    https://serverfault.com/questions/217605/how-to-capture-ack-or-syn-packets-by-tcpdump