Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 680 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

1st Firewall rule has GEO blocks. But I am seeing this rule cause ALLOWS in the log. What is going on?

Peter Geremia

Hello,

I guess I am confused about the new V18 firewall rules and NAT etc.

I really expect my Firewall rules to be the 1st line of defense against the Internet bad guys.  So I put as my 1st rule country blocks to keep my network safe.

Much of the traffic is blocked.  But in the LOG I am seeing this rule ALLOW some traffic.

I also see there is a Web rule ID.

Can someone explain why this traffic is getting through when the firewall rule says to block it.

Thank You,

Peter Geremia



This thread was automatically locked due to age.
Parents
  • 0

    Looks like the Proxy is picking up this traffic and blocking it.

    As you can see, the Block rule has the Proxy enabled, hence Firewall will give the traffic to the proxy to drop it. You can see the destination port transferred to Port 3128 (proxy). 

    The traffic should not be actually allowed, as the proxy will drop it anyways. But the log viewer will show this as "allowed". 

  • 0 in reply to LuCar Toni

    Ok I was wondering about that.  So I went into the Firewall rule and I could not find a place to disable that.

    Is there a way?

    Thanks!!

    -Pete

  • 0 in reply to Peter Geremia

    As far as i know, there is no way to disable the proxy for this traffic. But in the end, the outcome should be the same, the traffic should not be allowed. If its still allowed, you would have to open a support case to investigate in more detail. 

  • 0 in reply to LuCar Toni

    I did dig into it and I do not see the traffic on my web server.   So I am sure you are correct.

    It would be nice to be able to allow a firewall RULE not have any other dependencies.

    So if I do a country block I do not want it to go any further.  

    Maybe they should look into supporting this kind of feature?

    Thanks again for your help!

    -Pete

  • 0 in reply to Peter Geremia

    Hi Peter,

    the recommended approach is to blackhole the offending countries. This where you create a firewall rule with linked NAT pointing at a non existent IP address on your LAN.

    There is a KBA on how to do this.

    Ian

Reply Children
No Data