Logs flooded "Any from firebox"

Hi,

I don't know where to cut off log entries like these: (DNS logging is not activated)

2019-06-19 17:15:42 Allow 172.20.x.x 172.20.x.x dns/udp 56889 53 1-LAN Firebox DNS Forwarding 70 128 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" record_type="A" question="www.google.de" Traffic
2019-06-19 17:15:42 Allow 195.145.x.x 34.251.171.117 dns/udp 45738 53 Firebox 5-10MBit-TK Allowed 70 64 (Any From Firebox-00) proc_id="firewall" rc="100" msg_id="3000-0148" geo_src="DEU" geo_dst="IRL" Traffic
2019-06-19 17:15:42 Allow 172.20.x.x 172.20.x.x dns/udp 57257 53 1-LAN Firebox DNS Forwarding 72 128 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" record_type="A" question="www.gstatic.com" Traffic
2019-06-19 17:15:42 Allow 195.145.x.x 34.251.171.117 dns/udp 62802 53 Firebox 5-10MBit-TK Allowed 72 64 (Any From Firebox-00) proc_id="firewall" rc="100" msg_id="3000-0148" geo_src="DEU" geo_dst="IRL" Traffic
2019-06-19 17:15:42 Allow 172.20.x.x 172.20.x.x dns/udp 56798 53 1-LAN Firebox DNS Forwarding 74 128 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" record_type="A" question="www3.l.google.com"

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Docmokel,

    The setting for firebox generated logs should be in the logging settings:

    (About Policies for Firebox-Generated Traffic)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policies_firebox_generated_traffic_about.html

    Logging for the Any-From-Firebox policy is controlled by the Enable logging for traffic sent from this device check box. You can find this check box in the global logging settings:

    --Web UI — System > Logging > Settings
    --Policy Manager — Setup > Logging > Diagnostic Log Level

    Do those logs stop if you flip that setting off?

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Hi James,
    great, that does the trick!
    Many thanks!

  • Hello James,

    maybe you can also help me out with those DNS forwarding messages:

    2019-06-20 12:19:50 Allow 172.20.x.x 172.20.x.x dns/udp 61700 53 1-LAN Firebox DNS Forwarding 84 128 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" record_type="A" question="partnerad.l.doubleclick.net" Traffic
    2019-06-20 12:19:50 Allow 172.20.x.x 172.20.x.x dns/udp 63435 53 1-LAN Firebox DNS Forwarding 79 128 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" record_type="AAAA" question="tbone.trade-server.net" Traffic
    2019-06-20 12:19:50 Allow 172.20.x.x 172.20.x.x dns/udp 63119 53 1-LAN Firebox DNS Forwarding 86 128 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" record_type="A" question="d16z38s472vlz5.cloudfront.net" Traffic
    2019-06-20 12:19:50 Allow 172.20.x.x 172.20.x.x dns/udp 62248 53 1-LAN Firebox DNS Forwarding 80 128 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" record_type="A" question="e13136.g.akamaiedge.net" Traffic
    2019-06-20 12:19:50 Allow 172.20.x.x 172.20.x.x dns/udp 62136 53 1-LAN Firebox DNS Forwarding 80 128 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" record_type="A" question="e13136.g.akamaiedge.net" Traffic
    2019-06-20 12:19:50 Allow 172.20.x.x 172.20.x.x dns/udp 62425 53 1-LAN Firebox DNS Forwarding 86 128 (Internal Policy) proc_id="firewall" rc="100" msg_id="3000-0148" record_type="AAAA" question="d16z38s472vlz5.cloudfront.net"

    Regards
    Heiko

  • It looks like you have Enable DNS Forwarding selected and have Enable DNS Forwarding Logging selected.
    Unselect Enable DNS Forwarding Logging to stop the logging of these.
    These options can be found on the Network -> Configuration -> WINS/DNS tab

  • Hello Bruce,
    logging is already disabled!

  • Time for a support incident

  • OK, feedback from WG-support: these log entries are unavoidable if "DNS Watch" is activated...

  • Interesting.
    I don't see these in Traffic Monitor when I have DNSWatch enabled. I see no DNS
    logging when DNSWatch is enabled.
    I'm running 12.2.5 beta - if that makes any difference.

    Do you use DNS forwarding - the firewall interface is the DNS server IP addr for clients ?
    I don't - so perhaps that is the difference between what you & I see.

  • RalphRalph WatchGuard Representative

    That's exactly it Bruce. We're working on decoupling DNSWatch logging from DNS Forwarding.

    https://watchguardsupport.secure.force.com/publicKB?type=KBKnownIssues&SFDCID=kA42A00000016GtSAI&lang=en_US

  • Hi Bruce,
    no, I use my internal DNS Server for my clients, but there I setup FB interface IP for all requests which cannot be resolved (as recommended by Watchguard)

  • edited June 2019

    "I setup FB interface IP for all requests which cannot be resolved"
    Try changing that to an ISP or Google DNS server, and see if those log entries go away.

    "(as recommended by Watchguard)"
    Where did you find this recommendation ?

  • Hi,

    now I'm lost.
    Just changed my config completely from "disable enforcement" to "enforce on all interfaces" an than disabled "DNS forwarding" in network config...., but still I get those log entries.
    @Bruce: my new config desribed above is now the same as you're using it, right? and you won't get any logs...?

  • The difference is that I do not forward DNS packets to a firewall IP addr.
    They go to an ISP DNS server IP addr.

  • Ah I see, sorry this topic confuses me...
    OK, now my DNS forwards to ISP DNS too.... but I still get the log entries!
    Maybe it's really the 12.5 beta.

Sign In to comment.