IP BLOCKED

drnetdrnet
in Firebox - Proxies

Hello,

a strange thing happens to us about a policy, we have to unserver in RDp inside our network, access is allowed only to certain IPs (2) strangely one of these is always blocked with the following log:

2021-08-11 10:28:50 Deny xxxx 192.168.0.7 rdp / tcp 65059 3389 WAN Firebox blocked sites (reason = autoblock by policy) 48 121 (TE ******* A ***** RDP- 00) proc_id = "firewall" rc = "101" msg_id = "3000-0173" dst_ip_nat = "192.168.2.11" tcp_info = "offset 7 S 1106377888 win 32" geo_src = "ITA" Traffic

I don't understand what this "autoblock by policy" came from.

Comments

  • Bruce_BriggsBruce_Briggs

    You can get this if you have a policy that is set to Denied for TCP port 3389

  • drnetdrnet

    I imagined, but the block comes from the same polcy, here is the complete log:

    2021-08-11 10:28:50 Deny xxxx 192.168.0.7 rdp / tcp 65059 3389 WAN Firebox blocked sites (reason = autoblock by policy) 48 121 (TEAMSYSTEM ALYANTE RDP-00) proc_id = "firewall" rc = "101" msg_id = "3000-0173" dst_ip_nat = "192.168.2.11" tcp_info = "offset 7 S 1106377888 win 32" geo_src = "ITA" Traffic

    there are no other policies that refer to port 3389 except an internal one but set only by trusted to internat rdp 3389

  • Bruce_BriggsBruce_Briggs

    I suppose that this log message could be created if the packet is from an IP addr not on your list of allowed IP addrs on that policy.

    Look at the log message definition here. Search for 30000173 - no dash in the log message ID.
    https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_7.pdf

  • drnetdrnet

    Thanks Bruce,

    I had already seen but in fact the IP is in the rule

  • Bruce_BriggsBruce_Briggs

    Time for a support incident

  • james.carsonjames.carson Moderator, WatchGuard Representative

    The line that says "autoblock by policy" suggests this ended up in your blocked sites list somehow. If you take a look at your blocked sites list in Firebox System Manager, it should show more info on why it ended up there, if that's the case.

    -James Carson
    WatchGuard Customer Support

  • drnetdrnet

    thank you,

    in fact it is just so that I do not understand why, despite being in the list of IP allowed in the policy, it is blocked, the problem is that it does not always occur but every now and then.

    Thank you both

  • Bruce_BriggsBruce_Briggs

    You ca add that IP addr to the Blocked Sites Exceptions list.

    Some other config setting is causing that IP addr to end up on the temp Blocked Sites list - perhaps auto-block source of unhandled external packets

Sign In to comment.