Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blackhole NAT + DROP firewall - Accept anyway?

Hi Community!

I've set up a blackhole DNAT (https://support.sophos.com/support/s/article/KB-000038943?language=en_US) and added a firewall rule:

I can see a lot of IP going to the dummy address and being blocked (on TCP443 it's rejected with 403 actually...but nvm) but I can see IP-s that are getting allowed like this:

Firewall messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="13"
fw_rule_id="14" --> Block rule
nat_rule_id="2" --> Blackhole DNAT
policy_type="1" user="" user_group="" web_policy_id="2" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id=""
ether_type="Unknown (0x0000)" --> Er, what?
 bridge_name="" bridge_display_name="" in_interface="PortB" in_display_interface="PortB" out_interface="" out_display_interface="" src_mac="XX:XX:XX:XX:XX:XX" dst_mac="YY:YY:YY:YY:YY:YY"
src_ip="X.X.X.X" --> Definitely on the "Blocked IP list"
src_country="XX" dst_ip="Y.Y.Y.Y" dst_country="YY" protocol="TCP" src_port="21878"
dst_port="443" --> Service is in the Blackhole DNAT services
packets_sent="47" packets_received="57" bytes_sent="2672" bytes_received="73780" src_trans_ip="" src_trans_port="0" dst_trans_ip=""
dst_trans_port="3128" --> Web proxy port??? What is this doing here?
src_zone_type="WAN" src_zone="WAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="2504901568" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

Any ideas? (SFVH (SFOS 18.0.3 MR-3))



This thread was automatically locked due to age.
Parents Reply Children
No Data