Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local ACL/Invalid Traffic

Hey all,

Has anyone discovered a way to determine what, specifically, the firewall is talking about when it denies traffic based on a "Local ACL" or "Invalid Traffic?"

I'm struggling getting a CIFS client to communicate (getting host down messages) when all other devices on the network are using this share just fine.  (It worked before I switched to this firewall as well, so I know it's something in here)  I'm having trouble locating the reason why it'd be dropping this traffic.

Thanks for any assistance you can provide!

:)



This thread was automatically locked due to age.
Parents
  • Local ACL/ Invalid traffic suggests that either a correct firewall rule is not created in the rule engine for that traffic or it does not meet the requested/expected TCP states or RFC specifications, case of an asymmetric routing etc.

    To pull out a proper log:

    1. Access CLI of the firewall and select Option 4- Device Console
    2. Execute the following command " console> drop-packet-capture "host x.x.x.x or host y.y.y.y"
    A host can be a source or destination to filter dropped traffic for a particular connection. Normal gates are supported for each of the syntax such as AND/OR/NOT
    3. For a broadcast drop, you will get logs as follows:

    2015-12-22 03:27:06 0103021 IP 172.16.16.17.137 > 172.16.16.255.137 : proto UDP: packet len: 58 checksum : 17827
    0x0000: 4500 004e 4958 0000 8011 7816 ac10 1011 E..NIX....x.....
    0x0010: ac10 10ff 0089 0089 003a 45a3 fe25 0110 .........:E..%..
    0x0020: 0001 0000 0000 0000 2046 4846 4145 4245 .........FHFAEBE
    0x0030: 4543 4143 4143 4143 4143 4143 4143 4143 ECACACACACACACAC
    0x0040: 4143 4143 4143 4141 4100 0020 0001 ACACACAAA.....
    Date=2015-12-22 Time=03:27:06 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev= inzone_id=1 outzone_id=4 source_mac=3c:97:0e:53:7b:e0 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=172.16.16.17 dest_ip=172.16.16.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=3736931136 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    Hope this helps.

  • Thanks for the tip, I will try to look at those packets. But... What you just showed us is an extremely easy example of dropping CIFS traffic on firewall device. It's obvious that Windows Share query will not succeed on a firewall device :-)

    I would love to see a little bit more complicated example; such as HTTPS traffic dropped and reason for it.
Reply
  • Thanks for the tip, I will try to look at those packets. But... What you just showed us is an extremely easy example of dropping CIFS traffic on firewall device. It's obvious that Windows Share query will not succeed on a firewall device :-)

    I would love to see a little bit more complicated example; such as HTTPS traffic dropped and reason for it.
Children
No Data