Drop Package

Question

Hi, 
 We have DNAT rule that allow connection over port 443 to an internal server, I have enable loging for this DNAT rule because we have some complaints that some users sometimes cannot access the internal server. I did check the FW logs and could see this entry: 
 
 017:06:20-10:22:40 securitysrv1-1 ulogd[26092]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="14:e0:39:06:76:9a" dstmac="00:1a:9c:f1:1f:a0" srcip="95.XX.XX.36" dstip="62.XX.XX.193" proto="6" length="40" tos="0x00" prec="0x00" ttl="56" srcport="58955" dstport="443" tcpflags="RST" 
 There is a rule that allow connection to the internal server, becuase I can access the internal server no problem there, but why UTM reset the connection? 
 
 Thanks

sachingurung · Answer

Hi Aresh, 
 These logs don't relate with the drops over the connection with the internal server. Look at the Packetfilter logfiles information on the UTM . 
 You can find the firewall logs by hovering the mouse pointer on the magnifier icon situated on the top right of the Web Admin GUI. The drops can be related due to certain things, you can request the customer to capture a .pcap file for the communication and verify the cause of disconnection. 
 Thanks

sachingurung · Answer

My mistake that I was not clear in my previous response. I suspect that the packet is dropped before it gets into the NAT table but let's concentrate on the possibilities of the drops. This might be caused due to IPS, check the ips.log in /var/log directory and monitor if any log line relates to these drop. You can note down the "sid" from the logs and create a rule modification in the IPS | Advance tab | Manual rule modification | Allow. 
 Any help?