Automatic firewall rules Vs Manual firewall rules

Question

Hi All 
 I am trying to get a better understanding of the differences between the 2. I am using UTM 9 on SG125 
 I have multiple IPSEC sites (Grouped as VPN-0-All Branches) all connecting to Head Office (VPN-Z-LAN). 
 So I do not enable automatic firewall rules but set to manual rules as follows Key being 1&2 (Allow between Branch & HO Any + HO & Branch Any) 
 
 My application (using single port for connection) connects fine under above but I cannot access anything else such as web access to remote router or remote desktop via IP address 
 If I enable rule 4 (Web Surfing) I can access remote router but still cannot remote desktop to a machine at branch using IP address i.e.

However if I let UTM create an auto rule all works fine (even if I have all others disabled) e.g. In this example have allowed creation of auto firewall rule between Branch B and Z Any 
 
 In this case all works fine. So what's the difference? [:^)] 
 Is it the case the in manually created rule "Any" is not the same thing as "Any" on the auto created rule or something else? 
 
 Any insight would be appreciated

apijnappels · Accepted Answer

Could it be that your branch network definition is bound to an interface (see Rule 3 from Rulz )?

BAlfson · Answer

You will want to delete your 'Any -> Any -> Any : Drop' rule. Even if you log those drops, there's less information in the log that there is with a default drop. 
 Cheers - Bob

apijnappels · Answer

Not sure why the auto fw rules did work, but do know that binding to an interface can give a lot of headache and unforeseen trouble (as you have noticed too). 
 In UTM all traffic that isn't allowed is automatically blocked, adding a block rule at the end is only usefull if you don't want to log this traffic (you can then disable logging on this rule). However I find this traffic quite informational from time to time, but I did for example put a block rule at the top of my rules where I block telnet and ssh access from the internet and don't log it, otherwise I see too much of these block rules in the log. 
 Your final understanding about all definitions being interface any is correct. 
 One thing that I have found which is a plus for "automatic fw rules" is that those rules are only active when the underlying (either DNAT or VPN) is also active. If you deactivate those, the auto fw rules are also automatically deactivated. However in site-to-site VPN an auto fw rule will allow any traffic from A to B and vice versa where in manual rules you can be much more granular and only allow services that need to be allowed.

BAlfson · Answer

Interesting, I don't know why the behavior was different with automatic rules. 
 The underlying firewall engine is iptables. Iptables considers traffic to be in INPUT, FORWARD and OUTPUT chains. Using a Network/Host definition bound to an interface causes WebAdmin to create an iptables firewall rule for the INPUT or OUTPUT chain, instead of the FORWARD chain which is what you wanted. 
 A firewall will block everything not explicitly allowed, so #3 does nothing for you other than limit the information in the Firewall log file. Look again at #2 in Rulz and you will be reminded that WebAdmin creates many (invisible except at the command line) Allow rules when things like Web Filtering are configured. 
 Cheers - Bob

DouglasFoster · Answer

I have not stared at your examples long enough to understand your configuration, but I do understand the theory, which is enough to answer your question: 
 
 The VPN Profile defines what packets the remote device will send into the tunnel. Anything not included in the VPN profile is handled locally by the remote device. 
 All of the normal UTM proxy logic is applied to the packet when it arrives at UTM. Depending on your enabled proxies and Allowed Networks list, the packet may be handled by Web Filtering, FTP Proxy, POP3 proxy, Web Protection, or Firewall Rules. Assuming that you have not enabled the VPN source addresses for any of the proxy Allowed Networks list, the packet will be processed by Firewall Rules. 
 The Default firewall rule is to DROP. So for any traffic to be accepted from the tunnel, you need to give it permission. 
 If you choose Automatic Firewall rules, UTM creates an Firewall ALLOW rule that matches the VPN Profile (all allowed addresses, all ports). In most situations, this is too permissive. 
 If you choose Manual Firewall rules, then UTM relies on you to define what specific ports on which specific addresses will be allowed. 
 Obviously, the Manual Firewall rules can only allow traffic that arrives at UTM, so it can only allow traffic for the addresses included in the VPN profile. 
 
 You said that with Automatic Rules off, your traffic is being blocked. This means that your manual rules are not allowing all of the traffic that you want, or that the rule is in the wrong position, so a BLOCK rule is being applied before a desired ALLOW rule can be detected. Rules are processed from low number to high.