2 Replies Latest reply on Jul 23, 2013 5:04 PM by grinder

    Drop All From External IP's

    grinder

      I have read some posts about wanting to change the Deny All rule to a Drop All.  I also understand that doing this causes things like DNS etc. to stop working.  I see the want for this and would like to do it myself so that network scans etc. do not get any response back.  I am wondering if you create a rule just above the Deny All rule that is a Drop All from only the External interface what kind of impact would it have?  Would it break things like VPN connections etc?  I am just thinking if the traffic was initiated externally and didn't match any rule, would it be OK to just drop the packets.  I am curious to know if anyone has tried this or knows what kind of impact it would have.  Thanks for your feedback!

        • 1. Re: Drop All From External IP's

          Hello,

           

          The rule that you want to create does sound like the correct route to go, take a look at this KB article. It is actually for an upgrade from a previous product version, but most of it will apply.

           

          Firewall Enterprise/Sidewinder/Secure Firewall 7.x: HA communication or NTP/DNS queries fail after upgrading from Classic/TSP to Firewall Enterprise KB64684

           

           

          Note: if you create the drop rule and it is not matching the traffic, try setting a redirect for the rule. There are times where traffic with a destination of the firewall may not match a rule unless it has a redirect. If this is the case for you then I would suggest contacting support to report that.

           

          -Matt

          1 of 1 people found this helpful
          • 2. Re: Drop All From External IP's
            grinder

            I will do some testing with it and see what happens.