http website not getting through firewall-not being "blocked"

Firebox M370 / FW 12.4.1 / WSM 12.5.3

our companies main web page www.harveyautomotive.com won't get through the firewall. The web page times out. My logs show everything as "allowed"

2021-03-17 10:42:08 Allow 10.249.115.9 206.188.192.38 http/tcp 53995 80 1-Trusted Network 0-123Net-0 Allowed 52 127 (HTTP-test-HA-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="15x.16x.xxx.xxx" tcp_info="offset 8 S 2888617378 win 61690" route_type="SD-WAN" geo_dst="USA" Traffic

2021-03-17 10:42:08 Allow 10.249.115.9 206.188.192.38 http/tcp 53996 80 1-Trusted Network 0-123Net-0 Allowed 52 127 (HTTP-test-HA-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="15x.16x.xxx.xxx" tcp_info="offset 8 S 1786347603 win 61690" route_type="SD-WAN" geo_dst="USA" Traffic

2021-03-17 10:42:09 Allow 10.249.115.9 206.188.192.38 http/tcp 53995 80 1-Trusted Network 0-123Net-0 Allowed 52 127 (HTTP-test-HA-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="15x.16x.xxx.xxx" tcp_info="offset 8 S 2888617378 win 61690" route_type="SD-WAN" geo_dst="USA" Traffic

If I bypass the M370 completely I get the web page.
I turned up the diagnostic logging and what you see above is all I get.

The policy I'm using HTTP-test-HA is a packet filter moved to the top of my policy order. My original policy was a custom policy with only geolocation on.

Is there a known issue I need to upgrade for?

Comments

  • I can access your web site

  • How are you testing this?

  • from a desktop that goes through our firebox and a http policy.
    a test pc I have that 'doesn't' go through our firebox does access our website.

  • This web site looks to be hosted externally.
    Since I can access this site through my firewall using a HTTP proxy, I can't see a reason that your site can't access it.

    There is no way to have the firewall log reply packets, so a packet capture may show something to help.
    You can do one on a test PC, or on the firewall using TCP Dump.

    A tracert to www.harveyautomotive.com works for me.
    If tracerts from your end can't get to the web site OK, you can also contact the hosting company and see if there is something at their end which is blocking packets from you.

    C:\Users\Bruce>tracert www.harveyautomotive.com

    Tracing route to www.harveyautomotive.com [206.188.192.38]
    over a maximum of 30 hops:

    1 11 ms 5 ms 5 ms Bruce_T20 [10.0.1.1]
    2 13 ms 14 ms 13 ms 96.120.37.77
    3 29 ms 15 ms 15 ms 68.85.231.121
    4 20 ms 15 ms 14 ms ae-17-ar02.stuart.fl.pompano.comcast.net [162.151.2.161]
    5 24 ms 19 ms 22 ms be-40-ar01.northdade.fl.pompano.comcast.net [68.86.165.161]
    6 23 ms 21 ms 22 ms be-20214-cr02.miami.fl.ibone.comcast.net [68.86.90.205]
    7 24 ms 21 ms 20 ms be-12297-pe03.nota.fl.ibone.comcast.net [68.86.82.70]
    8 22 ms 22 ms 22 ms 50.208.232.58
    9 21 ms 19 ms 23 ms 108.162.213.74
    10 19 ms 19 ms 22 ms 108.162.213.171
    11 * * * Request timed out.
    12 36 ms 35 ms 37 ms 209.17.112.38
    13 36 ms 32 ms 33 ms vux.netsolhost.com [206.188.192.38]

    Trace complete.

  • You could also disable the SD-WAN setting on this HTTP policy, and see if there is any change.

  • Bruce,
    Thanks for the reply and added insight as always.
    Somewhere between answering your first comment and now, the website is working ok.

    I'm going to assume somewhere out on the internet there was a network issue. It didn't make sense why my test Pc connected directly to my comcast modem got to the website and my network Pc through the firewall wouldn't.

  • tracert is a useful tool which can help identify external network issues.

Sign In to comment.