Options

FWAllowEnd in the logs for geo_src that is blocked

M370 running 12.71.1

While perusing the logs, I saw a FWAllowEnd entry with a geo_src= for a country code that is not allowed. When I searched the logs for exact match of geo_src=XXX (country that is blocked), I discovered many blocked packets with a disposition of denied (mostly unhandled packets, with a few for geolocation), but there was a few FWAllowEnd entries. The ID is 30000151 - Traffic connection terminated.

If I search for the src_ip of the FWAllowEnd entries, I do not see any initiating connection that would have eventually produced the FWAllowEnd entry. The bytes sent are from 51 bytes to 447 bytes.

First off, are others registering these type of entries for blocked countries, and second, can some explain why these entries are logged even if the source IP is form a country code that is blocked?

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @CraigS
    There are other processes that run before geolocation that can deny traffic - if the system hasn't made it to the point where it does the lookup, the src may show an ambiguous allow for that specific thing.

    If you're running into a situation where traffic is being allowed that shouldn't be, I'd suggest opening a case and pasting the specific log(s) you're looking at so we can look into it more closely.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.