Support Center > Search Results > SecureKnowledge Details
SmartView Tracker shows that Application Control blocked the traffic per the rulebase, however data was still transferred Technical Level
Symptoms
  • SmartView Tracker shows that Application Control blocked the traffic per the policy, however data was still transferred:

    • 'Policy' section of the log shows: Action = Block
    • 'Traffic' section of the log shows: Transferred Data = N (X sent, Y received)


  • Example from kernel debug:

    {policy} appi_cmi_handler_match_cb: match on context 181;
    {policy} appi_cmi_handler_handle_pm_match: app found: 60095579;
    ......
    {connection} appi_transaction_exe_rulebase: rulebase match returned: MATCH;
    ......
    {connection} appi_transaction_conn_prepare_uc_match_data: app_name: (FTP Protocol), app_id: (60095579) app_matched_category: (Network Protocols), app_product: (apcl), app_version: (r7520);
    ......
    {connection} [WARNING]: appi_transaction_conn_process_rb_match_result: setting action to APPI's BLOCK ;
    ......
    {connection} appi_transaction_conn_process_rb_match_result: MATCH on rule 49 (application: 60095579, action: BLOCK);
    ......
    {global} appi_app_db_get_app_log_data: finish registering strings: app_name 14691, app_desc 14692, category 14627, properties 14693;
    ......
    {module} fw_appi_module_appi_log_write_cb: sending application log: origin: X, alert_code X, action_code 33, app_name 14691, app_desc 14692, app_id 60095579, category 14627, matched category 14627, properties 14693, risk 3, rule_uid X, rule_name X, user-agent X, server X, forwarded_ip X, app_sig_id (60095579:2), ticket id X, reason X;
    ......
    {policy} appi_cmi_handler_match_cb: conn returned: action [Reject];
    ......
    FW-1: [ASPII|ASPII MT|CMI INSPECT|Streaming|Streaming MT] SmartDefense application drop while SmartDefense global detect is active;
    ......
    IPS: Global detect - overriding [ASPII|ASPII MT|CMI INSPECT|Streaming|Streaming MT] - Traffic will not be dropped by application;
    .........................


    where
    • app_id 60095579 = FTP Protocol
    • category 14627 = Network Protocols
Cause

IPS is running in 'Detect' mode, or in 'Troubleshooting' mode.

Application Control and IPS are based on the same infrastructure. Setting the IPS to run in "Detect" mode affects the Application Control blade - even when the Context matches the Application ID, and per the policy, that traffic is rejected by Application Control blade, Security Gateway still allows the traffic to pass.


Solution
Note: To view this solution you need to Sign In .