Policy Hit Count for Deny Rule 0 hits 3000GB data per day

expexp
in Firebox - Dimension, Logging and Reporting

Hi everyone,

we have a deny rule for our Proxy Server so they don't reach our Banking Software over HTTP/S and only directly allowed clients can access.

Our Dimension Server (Version2.2.2 (684479)) shows under "Reports -> Device -> Policy Usage" 0 Hits for this policy but 2900GB Data.

How ca this be possible?
We dont see any Entries in Log- Search for this policy.

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @exp

    If you're using a proxy deny rule, the firebox redirects downloads to itself because it can't always stop them.

    For example:
    If you've set a specific type of response to deny, or disallow specific file types:
    -The firewall will see the http/s get request.
    -The response will come back and if it does not meet the conditions in the HTTP/S response, the firewall will deny it to the client, and send the data stream to itself. It will usually attempt to reset the connection to get the data to stop, but this does not always work.

    I would suggest using a packet filter to deny the connection to clients you don't want connecting to that server. Doing so will prevent them from making an initial connection all together.

    -James Carson
    WatchGuard Customer Support

  • expexp

    Hi James,

    sorry if this was unclear.
    We have an on premise (McAfee) Proxy Server Cluster for our ShareHolder within an MPLS. Only our employees at our Location are using the Watchguard Proxy Action.

    The Deny Rule is an packet filter Rule for HTTP.
    We also have an second deny rule for HTTPS Traffic.
    But only the HTTP Rule shows Data in the Policy usage Report.
    The HTTPS deny Rule shows 0 hits / zero Data.

    Also when there would be traffic for this rule, shouldn't I see hits for this Rule and find the Conenction attempts in the logs?

    When I manualy test the deny Policy the hit count goes up an i find these connection attempts in the logs.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @exp

    I'd suggest opening a support case so that our team can take a look at your ruleset and see what might be going on. Proxy would be the most common reason for this, but it may also be deny pages, authentication pages, or something else.

    -James Carson
    WatchGuard Customer Support

  • expexp

    thanks james for the infos.
    i will creat a support caes soon.

Sign In to comment.