2 Replies Latest reply on Jul 27, 2015 3:56 PM by layer0

    McAfee NGFW Connection Discarded


      Hello Everyone   


      We are testing a McAfee Next Generation Firewall, we don't have any acces rule to block traffic but in the logs i see a lot of activity with action "Discard" and rule tag "100.0", But that rule doesn't exist. How can i figure out what funcionality is discarding the traffic?.



        • 1. Re: McAfee NGFW Connection Discarded



          If you're running engine in FW/VPN or L2FW role, there is implicit discard any rule at the end of the access rulebase to discard any traffic that admin has not specifically allowed. Though this rule at least in built-in template policies doesn't use ruletag @100.0. In addition the template policies have few other rules with discard action (e.g. "Firewall Template" has rule to discard any traffic from "NOT Loopback network" to "Loopback network") but these rules also doesn't look to use tag @100.0.


          Can you send more details about the log entries that you are seeing? Perhaps screenshot (though that usually misses several fields) that shows at least the fields showing IP addresses, ports, service, and rule match, and also "Information Message" field. Note though that it might not be possible to tell what exactly is discarding the traffic without seeing the policy so you might want to open tech support case for this if you have valid grant that you can use to open Service Requests.




          • 2. Re: McAfee NGFW Connection Discarded



            The engine is in L2FW role. I send you screenshot of two different examples



            tráfico 2.PNG


            And second




            Thnaks for your help.