This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow traffic based on protocol

Hi all

In my UTM firewall log, I can see incoming MS Teams traffic being dropped. The traffic is coming from a public IP, not Microsoft's O365 IP ranges.

In my rules, I have allowed Microsoft's "high ports" 50000:50059 (the 2nd row for example), but the dropped packet is using a port outside the range.

However as shown, UTM recognises both packets as Microsoft Teams. This column is where it usually says TCP, UDP, ICMP etc.

My question is how can I define a rule using the traffic type? Because normally when you're setting a rule, you can select services which are based on port numbers, not traffic type.

Cheers

Ali



This thread was automatically locked due to age.
Parents
  • Thanks for prompt response, here's the firewall log

    2023:02:16-15:19:13 utm-1 ulogd[29877]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth3" mark="0x381c" app="2076" srcmac="Removed" dstmac="Removed" srcip="49.185.94.67" dstip="Removed" proto="17" length="140" tos="0x10" prec="0x20" ttl="53" srcport="14140" dstport="47533"
    2023:02:16-15:19:13 utm-1 ulogd[29877]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="17" initf="eth3" mark="0x381c" app="2076" srcmac="Removed" dstmac="Removed" srcip="49.185.94.67" dstip="Removed" proto="17" length="140" tos="0x10" prec="0x20" ttl="53" srcport="14142" dstport="50026"

  • According to https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers, protocol 17 is UDP, so your theory of filtering by protocol would not work.

    What you could do is expand the permitted port range in your firewall rule.

    It's probably identifying it as Teams based on the source IP and/or destination port.

  • Thanks for the notes Jay

    The source IP is just an ISP's customer range.

    Also I don't really want to expand the permitted ports to an unknown/undocumented range.

    Considering that Microsoft has only listed UDP ports 50000:50059, and UTM somehow identifies the traffic as MS Teams, I am trying to see how it does it and if a rule can use this traffic type to allow/block it?

Reply
  • Thanks for the notes Jay

    The source IP is just an ISP's customer range.

    Also I don't really want to expand the permitted ports to an unknown/undocumented range.

    Considering that Microsoft has only listed UDP ports 50000:50059, and UTM somehow identifies the traffic as MS Teams, I am trying to see how it does it and if a rule can use this traffic type to allow/block it?

Children
No Data