Specific traffic is dropped by Security Gateway, although it should be accepted by the relevant security rule

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk97876
Technical Level
Product	Security Gateway, Security Management, Multi-Domain Management
Version	R75, R76, R77, R77.10, R77.20, R80.10, R80
Platform / Model	All
Date Created	25-Dec-2013
Last Modified	05-Aug-2019

Symptoms

SmartView Tracker shows that specific traffic is dropped by Security Gateway, although it should be accepted by the relevant security rule.
Issue is resolved when moving the security rule that should have accepted the traffic to a higher position in the rulebase.
Issue is resolved when in the service located in the security rule that drops the traffic, setting the 'Protocol Type' to 'None' (right-click on the service - 'Edit...' - 'Advanced...' button).
Issue is resolved when unchecking the box 'Match for 'Any'' in the service located in the security rule that drops the traffic (right-click on the service - 'Edit...' - 'Advanced...' button).

Kernel debug ('fw ctl debug -m fw + drop tcpstr') might show the following drops for traffic that should have been accepted:

;fwpslglue_chain: dropping packet, message "PSL Drop: ASPII_MT";
;fw_log_drop: Packet proto= ... dropped by fwpslglue_chain Reason: PSL Drop: ASPII_MT;

Cause

In FireWall rulebase, the Service may be evaluated before evaluating the Source or the Destination.

Example:

Configuration:
- 'CACTI' object represent SNMP Management machine that queries Hosts on the network.
- 'snmp_v3' is a custom service, in which 'Protocol Type' was set to 'SNMP_V3'.
- 'snmp' is a pre-defined service, in which 'Protocol Type' is not set at all.
- Rulebase (pay attention to the order of the security rules):
  
  NO. SOURCE DESTINATION SERVICE ACTION TRACK
  
  1 CACTI Any snmp_v3 Accept Log
  
  2 Any CACTI snmp_v3 Accept Log
  
  3 Any Any snmp Accept Log
Issue:
- Both SNMP v1 traffic and SNMP v2 traffic were dropped, although this traffic was not sent to / from 'CACTI' object.
Workarounds:
- Moving the rule with pre-defined service 'snmp' (that should accept both SNMP v1 / SNMP v2 traffic) above the rules with custom service 'snmp_v3'.
- In the custom service 'snmp_v3', setting the 'Protocol Type' to 'None'.

Solution

Note: To view this solution you need to Sign In .