1 Reply Latest reply on Nov 3, 2011 10:57 AM by Kary Tankink

    Strange traffic being blocked

      What looks like broadcast traffic is being blocked by a windows xp client when i turn on firewall. It looks like standard udp broadcast traffic and is being blocked by the block all rule using the standard corporate policy.

       

      Time:     01/11/2011 09:54:40

      Event:     Traffic

      IP Address/User:     192.168.0.116

      Message:     Blocked Incoming UDP -  Source 192.168.0.116 :  (52066)  Destination 192.168.0.255 :  (61117)

      Matched Rule:     Block All Traffic

       

      This is filling up the firewall logs constantly.

       

      1) without using wireshark to determine the traffic, do you think it looks like normal broadcast traffic?

      2) is there an easy to way to continue blocking the traffic but now have it fill up the logs?

       

      the client is in the same range so it looks like other windows 7 and windows xp clients are sending traffic to .255 that is being blocked by another windows xp client.

       

      Client that is blocking traffic is on 192.168.0.120 and it is blocking source traffic from 192.168.0.116 and 192.168.0.122 etc.

       

      Message was edited by: sadadmin on 03/11/11 03:49:24 CDT
        • 1. Re: Strange traffic being blocked
          Kary Tankink

           

          1) without using wireshark to determine the traffic, do you think it looks like normal broadcast traffic?

          2) is there an easy to way to continue blocking the traffic but now have it fill up the logs?

          1. Yes, it looks like normal UDP broadcast traffic.

          2. You can disable the "Log all blocked" option in the Activity log, but it's going to stop logging all blocked traffic.  There isn't a way to continue blocking it and keep this specific traffic from being logged.