Solved - Unable to determine why some traffic is being denied
We've got a couple of Makerbot printers that are not able to communicate properly with the Makerbot servers. From watching the Traffic Monitor I'm seeing denies happening for the IP addresses of the printers though it does not list the port that is being denied.
For example:2020-11-05 10:26:14 Deny 10.2.3.17 8.8.8.8 0-School-Net-Bridge 0-External Denied 84 63 (Unhandled Internal Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"
The only traffic for those printers that is showing up in the Traffic Monitor are denies similar to the example above though there are a couple of other destination IPs. Each of the destination IPs appear to be an external DNS server.
Any thoughts on how we could troubleshoot why this deny is occurring?
We are running an XTM33 with Fireware build version 11.11.2.
Comments
8.8.8.8 is a Google DNS server.
Does the printer have an allow policiy for DNS packets to the Internet?
Where are you accessing Traffic Monitor? The Web UI or Firebox System Manager?
For the record, what XTM version do you have?
DNS queries to external DNS servers are allowed.
I just did a nslookup from a client with the same policies applied:
2020-11-05 11:00:57 Allow 10.2.1.43 8.8.8.8 40029 53 0-School-Net-Bridge 0-External Allowed 53 63 (Outgoing-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="137.83.36.165"Now that I look at it again, it appears that it is port 84 that is being blocked in my first post if I'm reading that log output correctly. I may be mistaken though since I just created a policy to allow TCP and UPD traffic on port 84 and am still getting a deny.
I'm accessing the Traffic Monitor via the Fireware Web UI since it is the most convenient method for me currently.
By the XTM version, are you meaning the model? If so it is a XTM33 that is running Fireware version 11.11.2.
For this portion of the log message: 0-External Denied 84 63
84 = packet length; 63 = ttl
No idea why the deny log message is not showing the source & dest port.
You are running a fairly over version of Fireware - so perhaps that is the issue.
I expect that you will see more helpful info in the deny log messages if you try using WSM Firebox System Manager.
You were right, when watching the traffic monitor from the Firebox System Manger it showed that icmp was being blocked and that was easily resolved. Thanks for your help.