This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Drop Packet

Hi,

Our UTM allow all outgoing connection from the internal network, but still I can see somoe drop Packets from the internal servers to the internal IP of the UTM,

if I go to these servers and try to access any htps or http site I can open them without any problem! should we ignor this?

this is one example:

2016:08:22-02:36:55 securitysrv1-1 ulogd[14154]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:24:e8:3b:82:20" dstmac="00:1a:8c:f0:0f:a1" srcip="10.0.10.11" dstip="10.0.10.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="443" dstport="27536" tcpflags="ACK FIN" 

or this one:

2016:08:22-01:34:04 securitysrv1-1 ulogd[14154]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:1e:c9:f7:c9:b3" dstmac="00:1a:8c:f0:0f:a0" srcip="10.0.10.183" dstip="10.0.10.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="80" dstport="29619" tcpflags="ACK FIN" 


This thread was automatically locked due to age.
Parents
  • Hi,

    The drops are captured for internal communications between eth1 and eth0, may be caused due to no firewall rule detection. If that is not causing any issue in the production as of now, just ignore it.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachine,

    Sorry to bother you again,

    could you please tell me what this means:

    2016:08:24-09:16:02 securitysrv1-1 reverseproxy: id="0299" srcip="82.XX.XX.54" localip="62.XX.XX.190" size="279" user="-" host="82.XX.XX.54" method="RPC_IN_DATA" statuscode="403" reason="url hardening" extra="No signature found" exceptions="-" time="397" url="/rpc/rpcproxy.dll" server="remote.mydomain.nl" referer="-" cookie="-" set-cookie="-"
    2016:08:24-09:16:03 securitysrv1-1 reverseproxy: [Wed Aug 24 09:16:03.001256 2016] [url_hardening:error] [pid 1692:tid 3777379184] [client 82.XX.XX.54:50113] No signature found, URI: https://remote.mydomain.nl/rpc/rpcproxy.dll?localhost:3388

    When we try to access our Rd gateway that is setup with WAF  from IOS or mac machines the connection failed and the above get logged.

    the /rpc/* and /rpcwithcert/* already added to the exception but still no connection.

    we can access the the same RDgate servers from Windows devices without any problem. 

  • Hi,

    No problem you can ping me anytime but as always one question per thread rule!!

    What are you hosting over WAF? At present, we do not support the Outlook Anywhere connections for Mac clients over WAF. Taken in NUTM-11969.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply Children
  • Thank you for your reply as Always I really appreciate it.

    my problem has been solved, just for information,

    In the URL hardening of firewall profile I  did add the /rpc/rpcproxy.dll?localhost:3388 and now we can access our servers from Iphons and mac. it looks like I did just added /rpc and /rpcwithcert.

    Just one issue remains and that is some of our server 2012 R2 are not accessble with WAF, we did create a DNAT only for these servers and we can access them as well.

    I will open a new post to see why we cannot access the server 2012 R2 with WAF from IPhone and mac.

    Thanks