No announcement yet.

Both Application Control permitting some traffic in a block rule

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Both Application Control permitting some traffic in a block rule

    I have a device on my local LAN that is able to pass (according to Application Control reports) traffic to the Internet that should not be based on a block rule. The Application control actually logs the "block:false" against the block rule ID. I have created a few rules and I see this behaviour: some traffic is permitted through. Doesn't matter if I create rules using mac address, source IPs or other combinations or lack of source interface destination interface.

    I have no application control "application tab" settings apps configured (any longer) no tarpit, block or tag (I did have some tag actions).
    Ultimately to ensure this traffic is not going to be successful I had to create a custom NAT rule to change the source IP to something unroutable if matching the application rule traffic that should be blocked but does not appear to be reliably. I have not determined if this is an problem with the firewall engine or the reporting. Installing and using the firewall engine to achieve the same result fails as well, exhibits the same behaviour. I have no bypass rules, everything is logged including bypass rules.

    Additionally this behaviour seems identical on 16.3.2 and 16.4 versions.

    This is very concerning as a firewall must always block undesired traffic when configured, not just most of the time. I would expect a block rule to override anything specific as allowed elsewhere. But I have scoured my system for anything that would be permitting this and have come up empty. I have rebuilt the firewall multiple time on different versions to ensure it wasn't some wierd issue with an older system or version, or any of the upgrades.
    Attached Files

  • #2
    Looks like using a "filter rule" effectively plugs the hole in the application control drop rule reporting that some packets are "blocked: false" (not being dropped) against a deny rule. This has really shaken my confidence in the product now, I now have to review all other deny rules and see if the same issue exists. Frankly I need to audit all the allow rules as well an see if any additional packets not meeting the allow conditions are being permitted as well?


    • #3
      On further analysis, the problem appears to be with a small subset of data from probably just a webcam appliance. This traffic is being reported with a "0" app control confidence rating, even though the criteria I'm using to deny access is client IP or MAC address and would require no knowledge of the payload. The Application control blade seems to only make a determination upon a complete assessment of the session, so at this point this problem at least seems to have a logical reason. I'll need to assess whether these edge cases are of concern, warrants using the firewall application instead (even though an initial test seemed to indicate the traffic still getting through even when controlled with a block firewall app rule). I feel better at least with this latest observation on the nature of the traffic being permitted through.