What is being denied here?

Robert_Vilhelmsen · August 14

Hi

Fireware 12.10.4

Can anybody tell me what is being denied here?

2024-08-14 13:14:15 Deny a.b.c.d 23.40.108.128 https/tcp 51304 443 Firebox Firebox Denied by proxy (HTTPS proxy Internal networks-OUT-00) proc_id="firewall" rc="401" msg_id="3000-0175" src_ip_nat="1.2.3.4" src_user="USR" flags="SD" duration="432" sent_pkts="36" rcvd_pkts="36" sent_bytes="5182" rcvd_bytes="158306" geo_dst="DNK" Traffic

/Robert

Bruce_Briggs · August 14

I interpret this to be a session summary log message, such as those created when the "Enable logging for reports" option is selected, since there is no msg= section and there are sent_pkts & rcvd_pkts etc. in the log record

I would expect that there is some prior deny log message for the session which shows the reason that this session is shown as denied in this log message.

Robert_Vilhelmsen · August 14

@Bruce_Briggs said:
I interpret this to be a session summary log message, such as those created when the "Enable logging for reports" option is selected, since there is no msg= section and there are sent_pkts & rcvd_pkts etc. in the log record

I would expect that there is some prior deny log message for the session which shows the reason that this session is shown as denied in this log message.

Well, i could not find any other traffic bening denied - but i could be wrong as there quite some traffic going on here.

Bruce_Briggs · August 14

You can search on the source port and match with the source or dest IP addr

Robert_Vilhelmsen · August 15

I think you are right as the last log i see at 13:13:29 is:

ProxyMatch
ProxyDeny: HTTP client request timeout
pri=6
disp=Deny
policy=HTTPS-proxy-Internal-networks-OUT-00
protocol=https/tcp
src_ip=1.2.3.4
src_port=51304
dst_ip=23.40.108.128
dst_port=443
src_intf=WebshopAarhus
dst_intf=External-ACL-21672
rc=595
src_user=USR
1AFF-0002
geo_dst=DNK

What is being denied here?

Comments