Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 3 answers
  • Subscribers 29 subscribers
  • Views 7500 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic blocked for no reason

Avi Bar Ilan

Hi Guys

i am seeing A LOT of event in my log viewer about "TCP timestamp is missing"

this is coming from my internal LAN and going to the internal LAN (VLAN to VLAN)

the firewall rule that is refrenced in the log viewer point to rule 11

in rule 11 i have absolutely nothing configured that might block the traffic.

no IPS, no web filter...nothing:

 

this rule is set to allow all internal traffic from all vlans to all vlans.

so...what is blocking this traffic i see in the log viewer???

 

thanks guys!



This thread was automatically locked due to age.
  • 0

    Hi,

    I suspect you have taken to generalisation to the vlan to vlan rule. You need a rule for each VLAN to reach all other VLANs. So basically you need a rule for each VLAN if you wan the XG to route the traffic. Alternatively you route the traffic within the switch providing the VLANs and leave the XG to manage internet access.

    Ian

  • 0 in reply to rfcat_vk

    Hi.

    thanks for you reply!

    so...you are saying that if i have 4 vlans...

    i need to create a rule for each vlan to allow traffic for all the other 3 vlans?

    thats 9 separate rules! just for internal traffic.

    are you absolutely sure about that?

    because right now - internal traffic is working just fine - its just that specific error thats annoying me  

  • 0 in reply to Avi Bar Ilan

    Just in case...

    i created a new rule,

    allowing traffic from one vlan to all other vlans.

     

    that made no difference at all!

  • 0 in reply to Avi Bar Ilan

    What I am saying is you need a vlan1 to vlans2-4 and vlan2 to vlan1 and vlan3-4.

    And then there is the configuration issue for the devices that are not generating the timestamp on their transmissions.

    Ian

  • 0 in reply to rfcat_vk

    i created a such a rule - a screenshot is my previous comment.

    made no difference

  • 0 in reply to Avi Bar Ilan

    Hello Avi,

    It does seem IPS have pre-processed your traffic. Could you please change the settings according to this KBA ? As it does seem you are affected by it.

  • 0 in reply to Aditya Patel

    Hi

    thats exactly what i ended up doing and it seems to solve the issue...but...

    this command disables the IPS ability to look for anomalies,

    and at the end of the day...looking for anomalies is the whole point of IPS

    thats what IPS is supposed to do - look for anomalies!

    disabling this feature - really missed the whole point of having IPS

  • 0 in reply to Avi Bar Ilan

    Hi Avi,

    IPS would still work, all you would need is to apply IPS policy on the firewall rule where the traffic transverses through and manage the signatures if they cause some traffic to drop. Pre-processing at the moment is not configurable.

  • 0 in reply to Aditya Patel

    Hi

    i have to curcle you back to the initial comment on this post.

    the firewall rule that caused the internal traffic to be flaged and dropped had no ips policy on it.

    it was a firewall that allow all internal traffic between all vlans and had no we policy, no ips, no application policy. none!

    and still traffic was blocked!

  • 0

    Hi,

    I have almost the same firewall rule for Lan-Lan , except that in that rule's Advanced ->User Applications->Intrusion Prevention , I set it to LAN-DMZ instead of None.

    IPS is working, and no timestamp missing issue as your, but a lot of other detections .

     

    have you  check the config at IPS ->DoS & Spoof Protection ,  as well as on the connecting network switches, probably Vlan setup issues, need firmware updates,

    or good old reboot may sometime work.

     

    Regards,

    Model / Version : XG210 (SFOS 17.5.0 GA)

     

    P/S : No other interconnecting firewall rules were set for each other VLans in the network , as suggested ;

    All my Vlans were also defined at the  Network -> Interfaces -> VLAN .