3 Replies Latest reply on Dec 3, 2010 7:59 AM by Cotsy

    Problem with TrustedSource to outbound traffic

    bperez

      We have Geolocation and TrustedSource enabled to block risky connections, last week we have several interruptions of good traffic (IE: Oracle ERP) and known good websites, in the logs does not appear nothing blocking, traceroute to internet good, ping good, when the trustedsource is disabled in the internet services rule all the http ssl permitted to internet go forward without problem, the problem was randomly, something idea?

       

      Regards.

        • 1. Re: Problem with TrustedSource to outbound traffic
          sliedl

          If you have TrustedSource enabled and for some reason you cannot reach the TS servers you will use the Default reputation (which is set on the TrustedSource page in the GUI).  If your default reputation is higher than the threshold for what your rule will pass, you will Deny traffic.  You will not see a 'TrustedSource' deny message (because they don't exist).  Geolocation Deny messages do not exist either; they are all 'ACL Deny' message ($> acat -e "event AUDIT_R_ACLDENY").

           

          If you cannot reach the TS servers you will see an audit message that says something like 'Unable to query TS servers; going to default reputation for 300 seconds.'  I believe you can see these audits with this audit filter:

          $> acat -e "area TrustedSource and type software_failure" | less

           

          There is no way to figure out why you couldn't reach the TS servers, though, if that actually happened.

          • 2. Re: Problem with TrustedSource to outbound traffic
            Cotsy

            I have exactly the same problem, I have a call logged with McAfee Support.  It happened recently after rebooting the active firewall and the standby took over but all the Trusted Source enabled rules stopped working, all other traffic was fine.

             

            I've had it before in the past but never resolved the issue.  The firewall can contact the TrustedSource Internet server fine, resolve name, ping etc, problem even happens when the firewall is idle.  Failing over (rebooting the firewalls) doesn't help either, have to switch off TrustedSource on the rules before the rules start working again.  When I had it before internet access became slow and some (not all) remote sites couldn't access the hosted servers, disable Trusted Source as a workaround, hoping the cause is identified soon.

             

             

            Message was edited by: Cotsy on 15/11/10 10:52:30 CST
            • 3. Re: Problem with TrustedSource to outbound traffic
              Cotsy

              *** UPDATE ***

               

              I applied e-patch E97 which apparently fixes various trusted source issues, but still got the same problem.