VPN service on IPAD wifi, traffic does not appear in Traffic Monitor, app control does not drop
IPAD connected to ssid with separate vlan via AP420 and routed to policy with app control on and set to drop all vpn services. The policy that should control is UDP-TCP policy Port 0(any), under properties logging is set to "Send Log message"
On the IPAD device, this VPN service installs from app store "ZeroTier One" and also presents in the general settings under VPN . The service / app uses a static IP to connect (not url), and appears to communicate via UDP. The session appears to create its own virtual mac address and make this connected device part of a broadcast network (multicast).
My attempt to observe the traffic, from the Traffic Monitor filter with the dhcp IP of this device, see lots of normal traffic including 443 but nothing related to this VPN service / static IP. Do same for the static IP in the VPN service config but no traffic appears. I toggle the VPN service on and off on the device repeatedly connects successfully but nothing in traffic logs. Clearly there must be traffic but the Traffic Monitor does not see it. Looking at a different problem not too long ago I ran into a similar issue with SIP traffic not logged or appearing in the Traffic Monitor.
The problems are 1) I do not see any traffic related to this VPN service in the Traffic Monitor. 2) app control should block but does NOT 3) this is just one VPN service how big of a hole is this. My assumption was the WG was blocking all these type services.
Are there any changes I can make to make the traffic appear in the Traffic Monitor and get app control working / deny / drop?
Comments
Hi @lotty
If the IPad is connecting to a VPN, the only thing you'll see (if logging is on for that) is when the connection opens for the VPN (which is that 443 traffic.) The IPad is encrypting its traffic over the tunnel, so you won't see anything else.
-James Carson
WatchGuard Customer Support
It looks like ZeroTier One uses UDP port 9993.
So try blocking that.
Add a Custom Packet filter for UDP port 9993. Set the policy From: that VLAN, To: Any-external, set to Denied.
Note:
By default, the firewall will only display denied packets or packets from which content is stripped, etc. To see packets allowed, you need to turn on Logging on desired policies.
Application Control does not have a signature for everything.
You can see the VPN types which App Control can detect by looking at the 50 entries in the "Tunneling and proxy services" section of App Control.
Why doesn't the initial connection flash thru the traffic monitor?
Read my Note above
i did .. but as i indicated in my original post " policy that should control is UDP-TCP policy Port 0(any), under properties logging is set to "Send Log message""
I would think this would cause this traffic to display / flash through the traffic monitor ..
Then that indicates that some other policy, higher up in the policy list, is allowing this traffic.
I have logging turned on for every policy.
Then you should open a support incident to get help from a WG rep in resolving this.
You can add a Any packet filter From: the IP addr of the iPad To: Any-external, with logging on.
Make this the 1st policy in your list.
If you are using the Web UI, it has a limited number of log entries shown in Traffic Monitor.
With lots of logging enabled, you may well miss seeing traffic from a specific IP addr.
You can enter an IP addr in the Traffic Monitor Search field, which should help.
i guess i will need to open ticket with support.
I will try your suggestion on the Any Packet Filter.
I had similar issue with SIP traffic and ran that through support and what came back was certain traffic is NOT logged and a known issue. I my gut is that will be the answer here. I will look up those case numbers and add that as note into my case.
You can do packet captures on your firewall using TCP Dump, including for just a specific IP addr.
Look at the "Run Diagnostic Tasks" and "About TCP Dump Arguments" sections:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html
yes ... that is the route i am working on. I will post back any conclusions