Violation Local ACL

I setup a rule to NAT my external IP on port 42400 to an internal server, but the connection counter for the NAT rule shows no attempts - i also setup a corresponding FW rule to allow the traffic, which also shows no attempts. Using the log viewer while I test, the attempts are not even logged. I ran the packet capture utility in Diagnostics and found the packets with a status of Violation and the Reason is Local_ACL. Anyone have any idea why this traffic is getting caught by the Local_ACL and how i get it to allow the traffic? Below is the output from the console packet capture

 

console> drop-packet-capture "host 34.248.59.52"
2020-01-19 21:25:54 0103021 IP 34.248.59.52.36452 > X.X.X.X.42400 : proto TCP: S 1748784618:1748784618(0) win 7300 checksum : 38293
0x0000: 4520 003c cff6 4000 2606 bf21 22f8 3b34 E..<..@.&..!".;4
0x0010: 442f 2329 8e64 a5a0 683c 55ea 0000 0000 D/#).d..h<U.....
0x0020: a002 1c84 9595 0000 0204 05b4 0402 080a ................
0x0030: 4418 9a1c 0000 0000 0103 0309 D...........
Date=2020-01-19 Time=21:25:54 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port4 out_dev= inzone_id=2 outzone_id=4 source_mac=2c:0b:e9:14:b8:22 dest_mac=00:0e:c4:d0:6a:00 l3_protocol=IPv4 source_ip=34.248.59.52 dest_ip=X.X.X.X l4_protocol=TCP source_port=36452 dest_port=42400 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=1047498816 masterid=0 status=256 state=1, flag0=824635817984 flags1=17179869184 pbdid_dir0=0 pbrid_dir1=0

2020-01-19 21:25:55 0103021 IP 34.248.59.52.36452 > X.X.X.X.42400 : proto TCP: S 1748784618:1748784618(0) win 7300 checksum : 38043
0x0000: 4520 003c cff7 4000 2606 bf20 22f8 3b34 E..<..@.&...".;4
0x0010: 442f 2329 8e64 a5a0 683c 55ea 0000 0000 D/#).d..h<U.....
0x0020: a002 1c84 949b 0000 0204 05b4 0402 080a ................
0x0030: 4418 9b16 0000 0000 0103 0309 D...........
Date=2020-01-19 Time=21:25:55 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port4 out_dev= inzone_id=2 outzone_id=4 source_mac=2c:0b:e9:14:b8:22 dest_mac=00:0e:c4:d0:6a:00 l3_protocol=IPv4 source_ip=34.248.59.52 dest_ip=X.X.X.X l4_protocol=TCP source_port=36452 dest_port=42400 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=1047498816 masterid=0 status=256 state=1, flag0=824635817984 flags1=17179869184 pbdid_dir0=0 pbrid_dir1=0

2020-01-19 21:25:57 0103021 IP 34.248.59.52.36452 > X.X.X.X.42400 : proto TCP: S 1748784618:1748784618(0) win 7300 checksum : 37542
0x0000: 4520 003c cff8 4000 2606 bf1f 22f8 3b34 E..<..@.&...".;4
0x0010: 442f 2329 8e64 a5a0 683c 55ea 0000 0000 D/#).d..h<U.....
0x0020: a002 1c84 92a6 0000 0204 05b4 0402 080a ................
0x0030: 4418 9d0b 0000 0000 0103 0309 D...........
Date=2020-01-19 Time=21:25:57 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port4 out_dev= inzone_id=2 outzone_id=4 source_mac=2c:0b:e9:14:b8:22 dest_mac=00:0e:c4:d0:6a:00 l3_protocol=IPv4 source_ip=34.248.59.52 dest_ip=X.X.X.X l4_protocol=TCP source_port=36452 dest_port=42400 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x8001 nfqueue=0 gateway_offset=0 connid=1047498816 masterid=0 status=256 state=1, flag0=824635817984 flags1=17179869184 pbdid_dir0=0 pbrid_dir1=0

Parents
  • Hi,

    the firewall rule should look bit like this

    source WAN -> ANY - Destination  LAN -> server IP - Service (TCP 1:65335 to 42400) -> any time -> log. Use linked NAT rule and choose MASQ I think should automatically setup the correct interfaces.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    the firewall rule should look bit like this

    source WAN -> ANY - Destination  LAN -> server IP - Service (TCP 1:65335 to 42400) -> any time -> log. Use linked NAT rule and choose MASQ I think should automatically setup the correct interfaces.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data