Options

When is allowed traffic logged

rv@kaufmann.dkrv@kaufmann.dk
in Firebox - Dimension, Logging and Reporting

Hi,

Fireware 12.8.2U1

If traffic is allowed on a certain port, but the destination server/pc is not responding due to server/endpoint service is not running, why do i not get this allowed traffic logged in FSM when allowed traffic is set to be logged in the policy?

If traffic is disallowed, i get denied traffic logged and when the endpoint/server is responding on the port, traffic is also logged.

Below is a test on remote port tcp/7168 wheer tcpdump shows this on the firewall, but FSM do not log anything.

13:25:09.285461 IP (tos 0x0, ttl 126, id 17551, offset 0, flags [none], proto TCP (6), length 52)
172.16.1.41.52634 > 10.100.1.27.7168: Flags [S], cksum 0x2dfb (correct), seq 906194436, win 64240, options [mss 1406,nop,wscale 8,nop,nop,sackOK], length 0
13:25:09.285959 IP (tos 0x0, ttl 128, id 10562, offset 0, flags [DF], proto TCP (6), length 40)
10.100.1.27.7168 > 172.16.1.41.52634: Flags [R.], cksum 0x6975 (correct), seq 0, ack 906194437, win 0, length 0
13:25:09.796078 IP (tos 0x0, ttl 126, id 17552, offset 0, flags [none], proto TCP (6), length 52)
172.16.1.41.52634 > 10.100.1.27.7168: Flags [S], cksum 0x2dfb (correct), seq 906194436, win 64240, options [mss 1406,nop,wscale 8,nop,nop,sackOK], length 0
13:25:09.796187 IP (tos 0x0, ttl 128, id 10563, offset 0, flags [DF], proto TCP (6), length 40)
10.100.1.27.7168 > 172.16.1.41.52634: Flags [R.], cksum 0x6975 (correct), seq 0, ack 1, win 0, length 0
13:25:10.306984 IP (tos 0x0, ttl 126, id 17553, offset 0, flags [none], proto TCP (6), length 52)
172.16.1.41.52634 > 10.100.1.27.7168: Flags [S], cksum 0x2dfb (correct), seq 906194436, win 64240, options [mss 1406,nop,wscale 8,nop,nop,sackOK], length 0
13:25:10.307074 IP (tos 0x0, ttl 128, id 10564, offset 0, flags [DF], proto TCP (6), length 40)
10.100.1.27.7168 > 172.16.1.41.52634: Flags [R.], cksum 0x6975 (correct), seq 0, ack 1, win 0, length 0
13:25:10.824609 IP (tos 0x0, ttl 126, id 17554, offset 0, flags [none], proto TCP (6), length 52)
172.16.1.41.52634 > 10.100.1.27.7168: Flags [S], cksum 0x2dfb (correct), seq 906194436, win 64240, options [mss 1406,nop,wscale 8,nop,nop,sackOK], length 0
13:25:10.824717 IP (tos 0x0, ttl 128, id 10565, offset 0, flags [DF], proto TCP (6), length 40)
10.100.1.27.7168 > 172.16.1.41.52634: Flags [R.], cksum 0x6975 (correct), seq 0, ack 1, win 0, length 0
13:25:11.329530 IP (tos 0x0, ttl 126, id 17555, offset 0, flags [none], proto TCP (6), length 52)
172.16.1.41.52634 > 10.100.1.27.7168: Flags [S], cksum 0x2dfb (correct), seq 906194436, win 64240, options [mss 1406,nop,wscale 8,nop,nop,sackOK], length 0
13:25:11.329640 IP (tos 0x0, ttl 128, id 10566, offset 0, flags [DF], proto TCP (6), length 40)
10.100.1.27.7168 > 172.16.1.41.52634: Flags [R.], cksum 0x6975 (correct), seq 0, ack 1, win 0, length 0

Regards
Robert

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    If it's a TCP connection (which it appears to be since I'm seeing [S] (syn) flags in your TCPDUMP,) you won't get an allow log unless the TCP connection completes. This is by design.

    -James Carson
    WatchGuard Customer Support

  • Options
    rv@kaufmann.dkrv@kaufmann.dk

    Thank you.

Sign In to comment.