Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 38 replies
  • Answers 3 answers
  • Subscribers 5 subscribers
  • Views 42187 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Drop packages

AreshAreshi

Hi,

 

We have a DNAT rule that allow us to access our server with RDP from internet with different port number, the rule working correctly, but in the logs we can see lots of drop UDP connections from the the IP address and port number that we try to access the server with RDP.

what are these UDP packages? why should the we see incoming UDP packages at all?



This thread was automatically locked due to age.
  • 0

    Aresh, alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thanks for the reply,

    I already check the Firewall log and I have to say I cannot find any extra information, this is the firewall log that corresponding to the live logs,

    Also I cannot see that droped packages are udp. or I am looking in the wrong logs?

    2017:02:07-14:39:03 securitysrv1-1 ulogd[11961]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="54:e0:XX:XX:76:9a" dstmac="00:1a:XX:f0:XX:a0" srcip="132.XX.XX.2" dstip="62.XX.XX.184" proto="17" length="1260" tos="0x00" prec="0x00" ttl="119" srcport="51822" dstport="4012"

     

    Thanks

  • 0 in reply to AreshAreshi

    proto="17" means UDP.  That looks like a gamer to me, but this should have nothing to do with your DNAT of RDP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I see this line in the log when I access our server that is behind the utm, so it must have something to do with my DNAT rule, otherwise I wouldn't see my IP and port number right?

    the DNA rule forward the port 4012 to 3389.

  • 0 in reply to AreshAreshi

    I will guess that your DNAT violates #4 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    The WAN interface has 6 public IP address. this is my DNAT rule, to my opinion this is not in violation with Rule #4. please correct me if I'm wrong.

     

  • 0 in reply to AreshAreshi

    If the 'Going to' is "External (WAN) (Network)" instead of "(Address)," that could be the problem.  If that is correct, then show a picture of the edit of the "RDP_????" Service.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to AreshAreshi

    Look into the RDP Specification. It uses TCP and UDP on 3389 if the server and client is supported.

    https://blog.workinghardinit.work/tag/rdp-8-1/

  • 0 in reply to UThomas

    Hi Thomas,

     

    Thank you for the nice artical, it was realy good information, becuase we are going to migrate our Rdgateway to server 2012 R2.

     But our issue is droping UPD packages when accessing an server 2012 directly (on different port number) we dont use Rdgateway to access the server.

     

    Thanks

  • 0 in reply to BAlfson

    It dont goes to the External (WAN) (Network) but to IP address

     

    Also as you can see the service does not use any UDP. It looks like that this drop UDP heppens only when we accessing the serve 2012! when we accessing the  server 2008  I can not see any drop UDP from my IP address.

     

Unfiltered HTML