block rule not working as expected

Steve_E · January 4

m270 + fw 12.11.5

wg advisory says this version clears the recent iked problem

https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015

"account lockout" and "block failed logins" are enabled in pm > setup > authentication

deny rules including 147.185.132.0/24 are on top in policy manager and work as expected most of the time

eg

2026-01-03 19:06:09 FWDeny, Denied, pri=4, disp=Deny, policy=EXCEPTION-TOP-Drop-block-paloaltonetworks-00, protocol=webcache/tcp, src_ip=147.185.132.4, src_port=50279, dst_ip=m.y.i.p, dst_port=8080, src_intf=EXT-BUSINESS, dst_intf=Firebox, rc=101, pckt_len=44, ttl=250, pr_info=offset 6 S 2232048525 win 65535, duration=0; sent_bytes=44; rcvd_bytes=0, 3000-0148, geo_src=USA; geo_dst=USA

this concerns me

i think its saying 147.185.132.4 got past the block rule then hit a l2tp rule?

2026-01-03 19:10:29 iked (m.y.i.p<->147.185.132.4)******** RECV an IKE packet at m.y.i.p:500(socket=14 ifIndex=6) from Peer 147.185.132.4:64440 ********

2026-01-03 19:10:29 iked (m.y.i.p<->147.185.132.4)Phase 1 started by peer with policy [L2TP-IPSec_l2] from 147.185.132.4:64440 main mode

no block action after was logged, and im not ready to disable l2tp

Bruce_Briggs · January 4

There is a hidden default policy allowing IPSec, which is prior to your block policy.

Review this:
Configure Inbound IPSec Pass-through with SNAT
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/ipsec_pass-through_c.html

Steve_E · January 4

thank you

block rule not working as expected

Comments