Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 30 replies
  • Answers 2 answers
  • Subscribers 37 subscribers
  • Views 166983 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local ACL/Invalid Traffic

ShawnLucas

Hey all,

Has anyone discovered a way to determine what, specifically, the firewall is talking about when it denies traffic based on a "Local ACL" or "Invalid Traffic?"

I'm struggling getting a CIFS client to communicate (getting host down messages) when all other devices on the network are using this share just fine.  (It worked before I switched to this firewall as well, so I know it's something in here)  I'm having trouble locating the reason why it'd be dropping this traffic.

Thanks for any assistance you can provide!

:)



This thread was automatically locked due to age.
  • 0 in reply to AmitSharma
    Oh, BTW: Do you know if this diagnostic method may be used for webfilter related issues ?
  • 0 in reply to Slawski
    Yes, it will Destination IP filtering in Connection List with a combination of Log Viewer> Web Filtering for that domain to find if a website is being allowed or not.
  • 0 in reply to Slawski
    I have done some testing and found something interesting. My setup is a XG with a AP55c. Since I am setting this up, I have an Any/Any rule with all app control and IPS turned off. My AP has 4 SSIDs all set to "Separate Zones", my device is on one of those SSIDs. When it tries to connect to the internet I see those denied by policy_id:0 message in the logs. I changed one of the SSIDs to be on the AP LAN, connected up and now it works fine, no denies. Not sure what's the difference, since they are both just subnets on the internal LAN.
  • 0 in reply to Slawski
    2015-12-24 09:18:13 0102021 IP 10.XXX.XX.XXX.64491 > 10.252.XX.XXX.443 : proto TCP: R 4150585369:4150585369(0) checksum : 39074
    0x0000: 4500 0028 6523 4000 8006 ed0f 0a8e 42a5 E..(e#@.......B.
    0x0010: 0afc 506e fbeb 01bb f764 e819 46e3 4a88 ..Pn.....d..F.J.
    0x0020: 5014 0000 98a2 0000 P.......
    Date=2015-12-24 Time=09:18:13 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev= inzone_id=0 outzone_id=0 source_mac=00:50:56:ba:44:33 dest_mac=00:50:56:91:20:6d l3_protocol=IP source_ip=10.XXX.XX.XXX dest_ip=10.252.XX.XXX l4_protocol=TCP source_port=64491 dest_port=443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=4051094740785954816 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/Acommunity.sophos.com/.../XXXXX sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    This is the log output. The traffic is dropped as "invalid traffic".

    I can't find entrys with this ip in the connection list.
  • 0 in reply to DanSand
    Well, so you have answered your question. No connection - packets dropped.
  • 0 in reply to Slawski
    Same thing here. my game is trying to update and its failing. there WAS some connection at the start then is times out and fails...

    2015-12-27 13:05:50 0102021 IP 10.1.1.5.59946 > 66.151.133.50.443 : proto TCP: F 2729573040:2729573040(0) win 1021 checksum : 1203
    0x0000: 4500 0028 37bb 0000 8006 3046 0a01 0105 E..(7.....0F....
    0x0010: 4297 8532 ea2a 01bb a2b1 fab0 b23a 98d1 B..2.*.......:..
    0x0020: 5011 03fd 04b3 0000 P.......
    Date=2015-12-27 Time=13:05:50 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone_id=0 source_mac=00:01:2e:5a:79:c6 dest_mac=00:01:2e:4e:1a:4b l3_protocol=IP source_ip=10.1.1.5 dest_ip=66.151.133.50 l4_protocol=TCP source_port=59946 dest_port=443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3559031422993825792 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
  • 0 in reply to DavePackham
    When I connect to my work VPN my download works. Something the XG is doing.
  • 0 in reply to AmitSharma
    What rule do I need then to allow these https downloads?
  • 0 in reply to DavePackham
    I'm not sure if you have posted the right log entry.

    First of all, I get those "invalid traffic" messages even when the IPS and WebFilter are off and the existence of those entries do not interfere with games downloading and updating. Especially if they appear for fw_rule_id=0.

    There is a different situation - when the webfilter / ips is ON. Haven't got time to analyse this yet because of Christmas etc.
  • 0 in reply to Slawski
    No problem. Those IP addresses are the inside Client trying to download the game updates and the external IP is the game host company so I thought they were related. Whatever info you need when the holidays is over I can reproduce for ya