Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 71 replies
  • Subscribers 37 subscribers
  • Views 139812 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clean Up rule "from any, to any, drop" that's allowed on the Internet anyway !!! WTF ?

Big_Buck

Hello  Can anyone explain that to me ?

I have a clean up rule (no 3) "from any, to any, drop" that allows traffic on the Internet anyway !!!.  See the rule and the log below.

Is it me, or this is a very serious issue ?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    this not a serious issue. Where does this rule sit in the firewall rule list and what is its ID eg at the top. Why are you trying to block all internet access, this does not make sense?

    What you are seeing in your log is traffic going out another rule eg rule id 3.

    XG tests the packets from top down, not by rule number.

    Ian

  • 0 in reply to rfcat_vk

    Hello 

    Best practices guidelines for "serious" world-class firewall products requires the implementation of a least one "stealth" rule and one "clean up" rule.  By definition, a "clean up" rule is always the last ... It does what it says: drop everything that was not implemented on previous rules and logs it.

     

    So, by definition, nothing is allowed by this rule, or after this rule !!!  Yet, we see some traffic is allowed.

     

    My understanding here, is that's, on the contrary, an awful issue.

  • 0 in reply to Big_Buck

    Hi,

    yes world's best practice maybe if implemented correctly.

    You didn't answer my question about firewall rule order. I have a drop everything that is left over on my XG and it occasionally catches stuff, usually when the external link fails, it is at the bottom of the firewall rule list.

    I also have country/region drop for incoming and outgoing rules at the top of my firewall rules.

    So please post a screenshot of your entire firewall rules.

    Ian

  • 0 in reply to Big_Buck

    Hey  

    The XG has an implicit default deny action that drops traffic that does not match any existing firewall rule policies.
    This rule that you have configured to drop any traffic is unnecessary and may potentially cause conflicts with your other existing firewall policies.

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to rfcat_vk

    Hello

     

    Our clean up rule no 3 is the last.  No other rule after that. It should drop everything left.  Now, even if it was not the last, logs are showing "Allowed" traffic.  It should be "Drop" !!!

    The question asked here, is why do we still see outbound traffic with that rule no 3 since it is any-any-any-drop ?

  • 0 in reply to FloSupport

    Hello FloSupport

     

    I am aware of many other products with implicit "clean-up" rule.  Checkpoint namely.  Yet their best practices includes clean-up rule anyway.  They have an excellent paper here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106597

     

    But if we come back to the question here, how is it possible an any-any-any-drop rule allow some traffic ?  Whether it is the last or not, that should not be !!!

Reply Children
No Data