Support Center > Search Results > SecureKnowledge Details
Specific traffic is dropped by Security Gateway, although it should be accepted by the relevant security rule
Symptoms
  • SmartView Tracker shows that specific traffic is dropped by Security Gateway, although it should be accepted by the relevant security rule.

  • Issue is resolved when moving the security rule that should have accepted the traffic to a higher position in the rulebase.

  • Issue is resolved when in the service located in the security rule that drops the traffic, setting the 'Protocol Type' to 'None' (right-click on the service - 'Edit...' - 'Advanced...' button).

  • Issue is resolved when unchecking the box 'Match for 'Any'' in the service located in the security rule that drops the traffic (right-click on the service - 'Edit...' - 'Advanced...' button).

  • Kernel debug ('fw ctl debug -m fw + drop tcpstr') might show the following drops for traffic that should have been accepted:
    ;fwpslglue_chain: dropping packet, message "PSL Drop: ASPII_MT";
    ;fw_log_drop: Packet proto= ... dropped by fwpslglue_chain Reason: PSL Drop: ASPII_MT;
    
Cause

In FireWall rulebase, the Service may be evaluated before evaluating the Source or the Destination.

Example:

  • Configuration:

    • 'CACTI' object represent SNMP Management machine that queries Hosts on the network.
    • 'snmp_v3' is a custom service, in which 'Protocol Type' was set to 'SNMP_V3'.
    • 'snmp' is a pre-defined service, in which 'Protocol Type' is not set at all.
    • Rulebase (pay attention to the order of the security rules):
      NO. SOURCE DESTINATION SERVICE ACTION TRACK
      1 CACTI Any snmp_v3 Accept Log
      2 Any CACTI snmp_v3 Accept Log
      3 Any Any snmp Accept Log
  • Issue:

    • Both SNMP v1 traffic and SNMP v2 traffic were dropped, although this traffic was not sent to / from 'CACTI' object.
  • Workarounds:

    • Moving the rule with pre-defined service 'snmp' (that should accept both SNMP v1 / SNMP v2 traffic) above the rules with custom service 'snmp_v3'.
    • In the custom service 'snmp_v3', setting the 'Protocol Type' to 'None'.

Solution
Note: To view this solution you need to Sign In .