Unhandled despite firewall rule, alias and custom filter

I'm not sure if this is the proper spot for this so my apologies if it is not.

We have a T70 running 12.9.3 which is giving me some grief.

  • I've defined a custom port template which includes a range of ports UDP 8500-8700.
  • I've defined an alias containing all the destinations applicable to that template
  • I've created the rule set it to allow, and removed IPS, application control, and geolocation

There are two IPs that are defined within the alias in particualr that 100% of the time traffice to those IPs that should be allowed are denied on the basis of being unhandled despite being defined within the alais. If I put those two IP addresses directly in the To field of the firewall rule then the occurance of the IPs being flagged as unhandled drops to about 25%.

In any case I need all of that traffic to go through, and I can't figure out why something that has been defined as allowable traffic is getting denied for being unhandled when I've handled it.


  • Options

    Note that the denies are not for 8500-8700 , but are for ports such as 17550, 17551.

    The column next to the dest IP addr (i.e. 17550/udp), shows the destination port and protocol.
    The next column after that is the source port, then the dest port again.

    In WatchGuard System Manager -> Firebox System Manager -> Traffic Monitor, you can show the log fields names:
    Change Traffic Monitor Settings

    I am not aware of such a setting in the Web UI.

  • Options

    There is a reasonable likelihood that the denied are reply packets, given that the dest IP addr matches and the source port is from the expected udp port range.
    If so, the probable reason is that the firewall not longer has a match its session tables for the denied packets.
    There are many possible reasons for this - so it is hard to tell why without understanding the packet flow for the application involved.

    One often sees this type of deny for web browser sessions, especially when the web browser instance is ended by the user.

  • Options
    I should probably mention that this is all for outgoing webex traffic. So the calls wind up with no audio when initiated, not even ring sounds.

    I've got two other sites, one with an m270 the other with a t25, set up exactly the same way, without any unhandled packets.

    I'll test opening ports 17550 and the other denied ports tomorrow for testing.
  • Options

    Doubtful that doing so will help.
    Look at the dest port for the denies to .244.44.68 - different ranges etc.

    Could be some sort of bug in V12.9.3.
    What Fireware version is on the M270? If not V12.9.3, consider opening a support case on this.

  • Options

    Do you have UDP port 9000 open?

    I see references to it being used by Webex.

  • Options

    Yep, here's the complete list for the rule. 443 and 80 are open through proxy rules as well.

  • Options

    I'm not sure what happened here. We had a planned outtage in the office last night, and this morning when I come in all of the deny entries for the unhandled exceptions of ports 8500-8700 have vanished.

    Is it really possible that there was something hung up in the system that a restart could have fixed?

  • Options

    Sometimes magic just happens.

Sign In to comment.