Hi All,
I have been trying to configure MS Exchange WAF set up using UTM FW 9.411-3 and have noticed a spike in dropped packets in my Firewall log.
I have been following the steps in the 9.3 Exchange WAF guide (from Nov 2015) but it is further complicated as we use a hybrid On Prem and Office 365 set up.
I am thinking of restoring back to before the changes as my normal firewall log size is much smaller.
The dropped packets look to be Citrix servers trying to talk to my UTM on port 80 (172.16.5.31) but I don't recognize the source ports?
2017:03:21-14:17:48 srv-utm1-1 ulogd[11354]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:50:56:a4:39:cc" dstmac="00:1a:8c:f0:5c:e0" srcip="172.16.5.50" dstip="172.16.5.31" proto="6" length="52" tos="0x02" prec="0x00" ttl="128" srcport="59915" dstport="80" tcpflags="SYN"
2017:03:21-14:17:51 srv-utm1-1 ulogd[11354]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:50:56:a4:39:cc" dstmac="00:1a:8c:f0:5c:e0" srcip="172.16.5.50" dstip="172.16.5.31" proto="6" length="52" tos="0x02" prec="0x00" ttl="128" srcport="59915" dstport="80" tcpflags="SYN"
2017:03:21-14:17:55 srv-utm1-1 ulogd[11354]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:50:56:a4:39:cc" dstmac="00:1a:8c:f0:5c:e0" srcip="172.16.5.50" dstip="172.16.5.31" proto="6" length="52" tos="0x02" prec="0x00" ttl="128" srcport="59916" dstport="80" tcpflags="SYN"
2017:03:21-14:17:57 srv-utm1-1 ulogd[11354]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:50:56:a4:39:cc" dstmac="00:1a:8c:f0:5c:e0" srcip="172.16.5.50" dstip="172.16.5.31" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="59915" dstport="80" tcpflags="SYN"
2017:03:21-14:17:57 srv-utm1-1 ulogd[11354]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:50:56:a4:39:cc" dstmac="00:1a:8c:f0:5c:e0" srcip="172.16.5.50" dstip="172.16.5.31" proto="6" length="52" tos="0x02" prec="0x00" ttl="128" srcport="59916" dstport="80" tcpflags="SYN"
2017:03:21-14:18:04 srv-utm1-1 ulogd[11354]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="00:50:56:a4:39:cc" dstmac="00:1a:8c:f0:5c:e0" srcip="172.16.5.50" dstip="172.16.5.31" proto="6" length="48" tos="0x00" prec="0x00" ttl="128" srcport="59916" dstport="80" tcpflags="SYN"
Thanks,
Mark.
This thread was automatically locked due to age.