Drop packages

Aresh, alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those above.

Cheers - Bob

Hi Bob,

Thanks for the reply,

I already check the Firewall log and I have to say I cannot find any extra information, this is the firewall log that corresponding to the live logs,

Also I cannot see that droped packages are udp. or I am looking in the wrong logs?

2017:02:07-14:39:03 securitysrv1-1 ulogd[11961]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="54:e0:XX:XX:76:9a" dstmac="00:1a:XX:f0:XX:a0" srcip="132.XX.XX.2" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="51822" dstport="4012"

Thanks

proto="17" means UDP.  That looks like a gamer to me, but this should have nothing to do with your DNAT of RDP.

Cheers - Bob

I see this line in the log when I access our server that is behind the utm, so it must have something to do with my DNAT rule, otherwise I wouldn't see my IP and port number right?

the DNA rule forward the port 4012 to 3389.

I will guess that your DNAT violates #4 in Rulz.

Cheers - Bob

The WAN interface has 6 public IP address. this is my DNAT rule, to my opinion this is not in violation with Rule #4. please correct me if I'm wrong.

The WAN interface has 6 public IP address. this is my DNAT rule, to my opinion this is not in violation with Rule #4. please correct me if I'm wrong.

If the 'Going to' is "External (WAN) (Network)" instead of "(Address)," that could be the problem.  If that is correct, then show a picture of the edit of the "RDP_????" Service.

Cheers - Bob

It dont goes to the External (WAN) (Network) but to IP address

Also as you can see the service does not use any UDP. It looks like that this drop UDP heppens only when we accessing the serve 2012! when we accessing the  server 2008  I can not see any drop UDP from my IP address.

That was the other possibility as UThomas suggested.  Make a new Service with TCP/UDP and you'll be golden.

Cheers - Bob

I will do that and let you know the result.

HI,

I did create a new service object for the port nummer but when try to use it in my nat rule get this error:

 is this means that I should also create a custom service object for "Add The service TO" ?

Any idea?

Both the source Service and the change-to Service must be TCP/UDP.

Cheers - Bob

Hi,

sorry for the delay, finaly I get the chance to run a test,

I did create 2 servicedefinition for a port forwarding to a server 2012 R2 in our network, both service definitions has TCP/UDP.

Now when access the server with RDP we see some changes in the firewall logs, but it looks like that the internal server still droping the UDP packages. I did disable the local Windows Firewall but still the same issue. it look like that Remote desktop on the server dont use UDP.

Any suggestion?

Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those UDP blocks above.

Cheers - Bob

sorry for that,

this is the full FW log:

2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="6" length="52" tos="0x00" prec="0x00" ttl="119" srcport="54085" dstport="4002" tcpflags="SYN"
2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61972" dstport="4002"
2017:03:28-13:36:33 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61972" dstport="3389"
2017:03:28-13:36:34 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61973" dstport="4002"
2017:03:28-13:36:34 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61973" dstport="3389"
2017:03:28-13:36:34 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="116.232.154.173" dstip="62.221.199.196" proto="6" length="44" tos="0x00" prec="0x00" ttl="49" srcport="24828" dstport="23" tcpflags="SYN"
2017:03:28-13:36:35 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61972" dstport="4002"
2017:03:28-13:36:35 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61972" dstport="3389"
2017:03:28-13:36:36 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61973" dstport="4002"
2017:03:28-13:36:36 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61973" dstport="3389"
2017:03:28-13:36:38 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61972" dstport="4002"
2017:03:28-13:36:38 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61972" dstport="3389"
2017:03:28-13:36:39 securitysrv1-2 ulogd[18968]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62005" initf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="61973" dstport="4002"
2017:03:28-13:36:39 securitysrv1-2 ulogd[18968]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth0" srcmac="54:e0:52:07:76:9a" dstmac="00:1a:9c:f1:0f:a0" srcip="217.XX.XX.30" dstip="10.0.10.205" proto="17" length="1260" tos="0x00" prec="0x00" ttl="118" srcport="61973" dstport="3389"

None of those lines correspond to the ones in your first post above.  Please show one of the lines from 14:39:00.

Cheers - Bob