Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 30 replies
  • Answers 2 answers
  • Subscribers 37 subscribers
  • Views 166991 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local ACL/Invalid Traffic

ShawnLucas

Hey all,

Has anyone discovered a way to determine what, specifically, the firewall is talking about when it denies traffic based on a "Local ACL" or "Invalid Traffic?"

I'm struggling getting a CIFS client to communicate (getting host down messages) when all other devices on the network are using this share just fine.  (It worked before I switched to this firewall as well, so I know it's something in here)  I'm having trouble locating the reason why it'd be dropping this traffic.

Thanks for any assistance you can provide!

:)



This thread was automatically locked due to age.
Parents
  • 0

    Local ACL/ Invalid traffic suggests that either a correct firewall rule is not created in the rule engine for that traffic or it does not meet the requested/expected TCP states or RFC specifications, case of an asymmetric routing etc.

    To pull out a proper log:

    1. Access CLI of the firewall and select Option 4- Device Console
    2. Execute the following command " console> drop-packet-capture "host x.x.x.x or host y.y.y.y"
    A host can be a source or destination to filter dropped traffic for a particular connection. Normal gates are supported for each of the syntax such as AND/OR/NOT
    3. For a broadcast drop, you will get logs as follows:

    2015-12-22 03:27:06 0103021 IP 172.16.16.17.137 > 172.16.16.255.137 : proto UDP: packet len: 58 checksum : 17827
    0x0000: 4500 004e 4958 0000 8011 7816 ac10 1011 E..NIX....x.....
    0x0010: ac10 10ff 0089 0089 003a 45a3 fe25 0110 .........:E..%..
    0x0020: 0001 0000 0000 0000 2046 4846 4145 4245 .........FHFAEBE
    0x0030: 4543 4143 4143 4143 4143 4143 4143 4143 ECACACACACACACAC
    0x0040: 4143 4143 4143 4141 4100 0020 0001 ACACACAAA.....
    Date=2015-12-22 Time=03:27:06 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev= inzone_id=1 outzone_id=4 source_mac=3c:97:0e:53:7b:e0 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=172.16.16.17 dest_ip=172.16.16.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=3736931136 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    Hope this helps.

  • 0 in reply to AmitSharma
    Not really an answer. didn't solve anything really
Reply Children
No Data