Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 15829 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Accept rule blocking traffic for "Invalid_traffic" reason

Adam Spooner

I am having issues getting my XG to pass traffic and it seems to be getting blocked on an allow rule and I cannot figure out why.

 

For troubleshooting purposes I created a rule and put it at the very top, it is an allow from the subnet on my LAN to a specific IP address. I have all services allowed and all of the more advanced scanning options turned completely off.

 

I can PING to the IP address from a computer on the "DC-LAN" but cannot connect to a windows file share and the packet capture shows it is blocking traffic for a rule violation. In the screenshot I took below you can see that it is allowing the ICMP traffic, but the traffic for the windows file share is a rule violation. How is an accept rule with any service allowed blocking this connection?

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Based on your logs, the traffic is being dropped because it doesn't associate the packet coming from a valid interface (possible hairpinning?).

    Does the "TEMP-Computer" exist in a VLAN on Port 1? 

    Could you provide a snip of the relevant interfaces associated with your source and destination?

    Also, please change your firewall rule from specifying "Any Zone" to the actual zones that your source and destination exist in.

    Thanks,

    Karlos

  • 0 in reply to Karlos

    The "TEMP-Computer" is on a network that is behind a different router. I have a static route set in the XG that points all traffic for that subnet to the other gateway device. That gateway is on the same subnet and network as port 1 on the XG.

    The XG is going to be replacing our existing firewalls, but I need to be able to point some subnets at the old equipment during the migration. The computer originating the traffic on is the 10.1.2.0/24 network and trying to use the XG as the default gateway to reach a computer on the 10.2.4.0/24 network.

  • 0 in reply to Adam Spooner

    Hi Adam,

    Thanks for confirming. It looks like your configuration is correct on the XG side. Also, Masquerading is disabled on rule 16 correct?

    Are you able to run a packet capture on the XG using your source IP and port 445 for SMB while you try to access the file share and share your results?

    Could you confirm that the router is forwarding the traffic?

    Thanks,
    Karlos

Reply
  • 0 in reply to Adam Spooner

    Hi Adam,

    Thanks for confirming. It looks like your configuration is correct on the XG side. Also, Masquerading is disabled on rule 16 correct?

    Are you able to run a packet capture on the XG using your source IP and port 445 for SMB while you try to access the file share and share your results?

    Could you confirm that the router is forwarding the traffic?

    Thanks,
    Karlos

Children
  • 0 in reply to Karlos

    NAT is disabled on rule 16. The part that is really confusing me is that it blocks port 445 (windows network shares) as "INVALID_TRAFFIC" on rule 16, but allows a ping in the form of ICMP traffic through on rule 16 while I have the service set to "ANY". Here are those two screenshots:

     

     

  • 0 in reply to Adam Spooner

    I ended up just putting a static route on each server that was on that subnet to use the other gateway device. I couldn't find a way to have traffic route in, and then back out the same interface that would work for anything other than ICMP.

     

    Now the older firewall has been completely retired so it isn't an issue. I have found that some firewalls allow this, others don't, and some have special config changes to make your firewall allow it.

     

    So as far as I know it is not possible on the XG as of right now.