Can you provide the full audit message showing the traffic hitting the deny all rule?
2014-06-02 11:32:43 -0400 f_http_proxy a_aclquery t_attack p_major
pid: 2054 logid: 0 cmd: 'httpp' hostname: FW8-Test.test.com
category: policy_violation event: ACL deny attackip: 192.168.100.2
attackzone: internal srcip: 192.168.100.2 srcport: 58868
srczone: internal protocol: 6 dst_geo: US dstip: 22.214.171.124 dstport: 873
dstzone: external rule_name: Deny All cache_hit: 1
reason: Traffic denied by policy.
You can use the 'aconn' command-line tool at 8.3.2P03 to see why the traffic is skipping the rule you believe it should hit. Run 'man aconn' or 'aconn -h' to see the command-line options.
Can you guys update the control center file: pub/commandcenter/autoDiscovery.xml So that i can download 8.3.2P03? from version 8.3.2P02 i dont have that command available.
What I would do is create a new application on TCP and UDP 873 and use it in place of the Rsync application. What is most likely happening here is it's not matching the Rsync signature in the application.
You cannot use the 'rsync' application with 'minimal proxy' selected because the rsync application uses UDP ports and these cannot be 'promoted' to a proxy in the code. Yahoo Messenger has the same limitation, as does any application signature using UDP ports.
You must be at CC 5.3.2P02 to download 8.3.2P03.
Thanks for the headsup on the patch. This may be a no-go for us as we still use firewall reporter which accodring to the release notes has been removed from this version of the control center.
Agreed and understood. However, we are only using TCP for this..... The heart of the issue is we have no DFGW, so an ipfilter really wont work (unless we create separate ipfilter redirects/rules for each destination server, which is a nightmare). This worked before, why not now? Is there a specific reason that TCP/873 (not UDP) cannot be proxied? According to this: http://en.wikipedia.org/wiki/Rsync UDP is not even specified as a protocol........
Message was edited by: mathew.d.hailey on 6/2/14 11:35:11 AM CDT