2 Replies Latest reply on Jul 27, 2015 3:56 PM by layer0

    McAfee NGFW Connection Discarded

    layer0

      Hello Everyone   

       

      We are testing a McAfee Next Generation Firewall, we don't have any acces rule to block traffic but in the logs i see a lot of activity with action "Discard" and rule tag "100.0", But that rule doesn't exist. How can i figure out what funcionality is discarding the traffic?.

       

      Thanks.

        • 1. Re: McAfee NGFW Connection Discarded
          thyvarin

          Hi,

           

          If you're running engine in FW/VPN or L2FW role, there is implicit discard any rule at the end of the access rulebase to discard any traffic that admin has not specifically allowed. Though this rule at least in built-in template policies doesn't use ruletag @100.0. In addition the template policies have few other rules with discard action (e.g. "Firewall Template" has rule to discard any traffic from "NOT Loopback network" to "Loopback network") but these rules also doesn't look to use tag @100.0.

           

          Can you send more details about the log entries that you are seeing? Perhaps screenshot (though that usually misses several fields) that shows at least the fields showing IP addresses, ports, service, and rule match, and also "Information Message" field. Note though that it might not be possible to tell what exactly is discarding the traffic without seeing the policy so you might want to open tech support case for this if you have valid grant that you can use to open Service Requests.

           

          BR,

          Tero

          • 2. Re: McAfee NGFW Connection Discarded
            layer0

            Hi

             

            The engine is in L2FW role. I send you screenshot of two different examples

             

            First.

            tráfico 2.PNG

             

            And second

             

            tráfico.PNG

             

            Thnaks for your help.

             

            Bye