Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 23975 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

violation reason: USER_IDENTITY issue

Jim Sem

Hello,

 

Sometimes sophos drops all packages to a random user (not everyone) for 1-2 minutes and after 1 minute it stop dropping, internet start working fine. I checked the diagnostics-packet capture while sophos dropping my packages and i noticed that status "violation" and reason "USER_IDENTITY". Can you please help me in this case?

 

Thanks in advance,



This thread was automatically locked due to age.
  • 0

    Hi,

    Are the Users populated in the Live User section when such drops are observed? Show us acess_server.log and http.log for the timestamp when XG drops the packets.

    Thanks

  • 0

    Jim,

    are you using AD accounts?

    Thanks

  • 0 in reply to lferrara

    yes, im using AD accounts.

  • 0 in reply to Jim Sem

    Jim,

    by default the timeout for unauthenticated traffic is 120 seconds. You can reduce the timeout period using a console command:

    system auth cta unauth-traffic drop-period XX

    where x is the seconds

    For best practice, do not use a value lower than 45 seconds.

    To view the current configuration, launch the command:

    system auth cta show

    Regards

  • 0 in reply to lferrara

    Hello Luk,

     

    Thanks a lot for your help. How can i disable drop for unauthenticated traffic? i don't want to drop any packet even if it's from unauthenticated user.

     

    Best,

  • 0 in reply to Jim Sem

    Hi Jim,

    I am a bit confused why do you need to allow unauthenticated traffic after deploying STAS with AD! Is there a specific requirement that we are unknown about. Suggestion by Luk is specific when strict authentication is not enabled with STAS and the unauthenticated traffic should be allowed after specific seconds as configured through the command line. You cannot completely disable this drop time or else there will be no use for the authentication mechanism.

    Thanks

  • 0 in reply to sachingurung

    Hi ,

    I can tell you that over a RED tunnel, STAS does not work perfectly. I had to disable it to allow our RED clients. Support could not figure it out so we gave up on using it until it improves. I too wish if the firewall cannot identify the user that it passes the traffic anyway. I had 2 firewall rules to allow this to happen. One that was user based and one that was not. Even a 40 second delay is a long time for users to sit with no internet until the firewall decides to let it pass.

    Mike

  • 0 in reply to MichaelBolton

    Now im getting INVALID_TRAFFIC violation message. What is this mean?

  • 0 in reply to sachingurung

    here is the log

    2017-02-02 10:24:15 0102021 IP 192.168.1.101.56183 > 52.209.106.36.80 : proto TCP: F 2721484213:2721484213(0) win 254 checksum : 20928

    0x0000:  4500 0028 7ebd 4000 7f06 1c10 c0a8 0165  E..(~.@........e

    0x0010:  34d1 6a24 db77 0050 a236 8db5 8b46 6518  4.j$.w.P.6...Fe.

    0x0020:  5011 00fe 51c0 0000 0000 0000 0000       P...Q.........

    Date=2017-02-02 Time=10:24:15 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port3 out_dev= inzone_id=0 outzone_id=0 source_mac=c8:1f:be:43:57:c2 dest_mac=00:1a:8c:51:a5:d6 l3_protocol=IP source_ip=192.168.1.101 dest_ip=52.209.106.36 l4_protocol=TCP source_port=56183 dest_port=80 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

  • 0 in reply to Jim Sem

    HI Jim,

    Invalid Traffic is observed when there is no matching firewall rule to forward the packet.

    Thanks