Default Drop

HI Aaron,

Please copy here several related drop lines from the full Firewall log file (not the Live Log).

Cheers - Bob

Bob thanks for the reply. I have since found out this is normal. As in other people have this so I am not worried about it.

The issue is that I am trying to get the game FIFA 19 working on my son's PS4. The issue is that when he plays tried to play Division Rivals it loses connection. He can find an opponent but when he starts the game it has that the connection was lost.

I have search EA support forums and Google and have come up with a list of ports that should be allowed. I have created these as services and added them to a group. I have allowed these in the Web Protection and also created a DNAT rule that is:

Any - FIFA 19 PS4 group - External (WAN) Address, the destination translation is PS4 - WiFi host.

The connection doesn't work. I have also tried adding a SNAT above that rule with the following but this doesn't work either:

PS4 WiFi - Any - Any -  the source translation: External (WAN) Address.

Inside the FIFA 19 PS4 group, I have added about 14 services that are either TCP or UDP. 

Is there a way to find out if any ports are being blocked? I have checked the logs but cannot find any blocked ports.

You help would be greatly appreciated.

Thanks

Aaron

Aaron, if you're still experiencing drops in the Firewall log, please show us a few relevant lines from that file (NOT the Live Log).

For the current issue, insert a picture of the Edit of the NAT rule.

Cheers - Bob

Bob, thanks for your reply. I am hoping you have the magic touch to get this working.

I am not seeing any drops in the logs but the game is not working. I have had this issue before where the logs shows nothing but I have found a missing port online, added it and the game works. This was FIFA 18 on XBOX 360.

As for the NAT rule, please see image below:

Thanks

Aaron

Are you sure that the "PS4-WiFi" object doesn't violate #3 in Rulz?  I also would check the Intrusion Prevention log to rule that out.

Cheers - Bob

Are you sure that the "PS4-WiFi" object doesn't violate #3 in Rulz?  I also would check the Intrusion Prevention log to rule that out.

Cheers - Bob

Bob,

When I create Network Definitions I never assign them to a particular point. I have checked this host and it has ANY in the Advanced - Interface section.

I have also checked the Intrusion Prevention log and not sure what I am looking for.

I will read through the rulez and see if there is something in there that might help me.

Is there a way where I can disable components and see if I can get this to work, then turn them back on until it breaks?

thanks heaps

Aaron

If you read through #1 in Rulz, you know that it's tricky to disable "everything" in a section.  Better to leave things on and show us log lines and pictures of the Edits of the relevant configuration items.

If you have anything in the Intrusion Prevention log, copy a few lines here to get started on understanding.

Cheers - Bob

Bob. I have nothing in the IP log.

I have created a PS4 - any - internat ip4 and a Internet ip4 - any - ps4 and itstill doesn’t work.

I have also the following Nat:

Any - Fifa services - external wan address

Destination: ps 4

This still doesn’t work.

Inside the firewall log I see some packets logged that might be for this device. There is some packets dropped from and Internet address going to the wan IP address.

Thanks

Aaron

In general, when trying to get help here, it's better to show what you're looking at instead of describing what you see.  We have yet to see any relevant lines from a log.  We also need to see pictures of the NAT and firewall rules you've described.

Cheers - Bob

Bob, thanks for skill trying, I am not seeing anything so I am guessing that your won't see anything.

The PS4 IP address is 192.168.200.79

So here is the firewall rule that I have created. I have tried using the Any as well as Internal (Network) and it still doesn't work:

Here is my NAT rule. I have tried with the SNAT both enabled and disabled and it doesnt work:

I have created a group called FIFA 19 PS4 and added about 15 service definitions to it:

Here are some lines from the IPS on the same day that we tried the game but not from the same time as there wasn't anything recorded in the log at the time we tried:

2019:02:13-09:09:52 salkeldfam snort[19961]: S5: Pruned session from cache that was using 1115003 bytes (stale/timeout). 192.168.200.79 62916 --> 69.164.15.50 80 (0) : LWstate 0x9 LWFlags 0x6007
2019:02:13-09:09:52 salkeldfam snort[19961]: S5: Pruned session from cache that was using 1114743 bytes (stale/timeout). 192.168.200.79 53708 --> 69.164.15.50 80 (0) : LWstate 0x9 LWFlags 0x6007
2019:02:13-09:09:52 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1049128 bytes (client queue). 192.168.200.79 58575 --> 69.164.15.237 80 (0) : LWstate 0x9 LWFlags 0x6007
2019:02:13-09:10:54 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1048744 bytes (client queue). 192.168.200.79 52152 --> 38.98.18.186 80 (0) : LWstate 0x9 LWFlags 0x6007
2019:02:13-09:11:14 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1049332 bytes (client queue). 192.168.200.79 58417 --> 38.98.18.186 80 (0) : LWstate 0x9 LWFlags 0x6007
2019:02:13-09:11:34 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1048712 bytes (client queue). 192.168.200.79 61888 --> 38.98.18.186 80 (0) : LWstate 0x9 LWFlags 0x6007
2019:02:13-09:11:52 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1049464 bytes (client queue). 192.168.200.79 50580 --> 149.135.80.11 80 (0) : LWstate 0x9 LWFlags 0x6007
2019:02:13-09:14:32 salkeldfam snort[19961]: S5: Session exceeded configured max bytes to queue 1048576 using 1049116 bytes (client queue). 192.168.200.79 61634 --> 38.98.18.204 80 (0) : LWstate 0x9 LWFlags 0x6007

This is information from the Firewall log from the time that we tried the game:

2019:02:13-17:13:19 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="118.170.42.4" dstip="124.190.219.195" proto="6" length="60" tos="0x00" prec="0x00" ttl="48" srcport="43828" dstport="23" tcpflags="SYN"
2019:02:13-17:13:22 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="118.170.42.4" dstip="124.190.219.195" proto="6" length="60" tos="0x00" prec="0x00" ttl="48" srcport="43828" dstport="23" tcpflags="SYN"
2019:02:13-17:13:28 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="118.170.42.4" dstip="124.190.219.195" proto="6" length="60" tos="0x00" prec="0x00" ttl="48" srcport="43828" dstport="23" tcpflags="SYN"
2019:02:13-17:13:29 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60004" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="115.238.245.8" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="235" srcport="9090" dstport="22" tcpflags="SYN"
2019:02:13-17:13:31 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="17.56.136.197" dstip="124.190.219.195" proto="6" length="83" tos="0x00" prec="0x00" ttl="45" srcport="993" dstport="59757" tcpflags="ACK PSH FIN"
2019:02:13-17:13:39 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="17.56.136.164" dstip="124.190.219.195" proto="6" length="83" tos="0x00" prec="0x00" ttl="45" srcport="993" dstport="59752" tcpflags="ACK PSH FIN"
2019:02:13-17:13:40 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="118.170.42.4" dstip="124.190.219.195" proto="6" length="60" tos="0x00" prec="0x00" ttl="48" srcport="43828" dstport="23" tcpflags="SYN"
2019:02:13-17:13:40 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="92.63.196.22" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="245" srcport="44528" dstport="22515" tcpflags="SYN"
2019:02:13-17:13:46 salkeldfam ulogd[24815]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="46.161.27.42" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="245" srcport="43970" dstport="19522" tcpflags="SYN"
2019:02:13-17:13:46 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="46.161.27.42" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="245" srcport="43970" dstport="19522" tcpflags="RST"
2019:02:13-17:13:46 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="46.161.27.42" dstip="124.190.219.195" proto="1" length="68" tos="0x00" prec="0x00" ttl="54" type="3" code="10"
2019:02:13-17:13:52 salkeldfam ulogd[24815]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="14.135.120.18" dstip="124.190.219.195" proto="6" length="52" tos="0x00" prec="0x00" ttl="240" srcport="53401" dstport="18246" tcpflags="SYN"
2019:02:13-17:13:52 salkeldfam ulogd[24815]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62002" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="205.205.150.18" dstip="124.190.219.195" proto="6" length="52" tos="0x00" prec="0x00" ttl="241" srcport="50423" dstport="18246" tcpflags="SYN"
2019:02:13-17:13:52 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="46.161.27.42" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="245" srcport="43970" dstport="9189" tcpflags="SYN"
2019:02:13-17:13:52 salkeldfam ulogd[24815]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="00:01:5c:81:2a:46" dstmac="00:1b:78:56:0d:2c" srcip="14.135.120.18" dstip="124.190.219.195" proto="6" length="52" tos="0x00" prec="0x00" ttl="240" srcport="53401" dstport="18246" tcpflags="RST"

Not sure what else you would like to view. 

Once again thank you for your time and effort you have put into this issue for me. It is very much appreciated. 

Thanks
Aaron

Getting closer, Aaron! :-)

Firewall rule 7 has no effect.  Any traffic allowed through to the PS4 comes via your DNAT rule.

Your "FIFA 19 PS4" might be missing some ports:

srcip="118.170.42.4" dstip="124.190.219.195" proto="6" length="60" tos="0x00" prec="0x00" ttl="48" srcport="43828" dstport="23" tcpflags="SYN"
srcip="115.238.245.8" dstip="124.190.219.195" proto="6" length="40" tos="0x00" prec="0x00" ttl="235" srcport="9090" dstport="22" tcpflags="SYN"

Then again, you need to check the srcip values with things like https://www.ip2location.com/demo/ and https://centralops.net/co/DomainDossier.aspx.  That's the only way to see if these drops are related to what you're doing.

I haven't seen complaints about max bytes to queue for several years.  I don't know that this is causing you a problem.  If you have a lot of unused memory in your UTM, you can double the size with the following, but if you're tight on RAM, you might want to be more conservative.  If you do try this, do report back on the effect on your issue.

cc set ips snortsettings max_queued_bytes 2097152

Cheers - Bob

Random thoughts:

Always check the web filtering logs carefully, as well as firewall and IPS.   Web Filtering traffic does not flow through the firewall.  Whenever the firewall log is empty, I tend to assume the answer is in the web filtering logs.

Verify that this device is exempt from decrypt-and-scan.   Most home users don't turn this on anyway, but it creates problems for applications that use a mix of web and non-web traffic.