1 Reply Latest reply on Dec 8, 2015 9:50 AM by grc-dl-nsc-sa

    McAfee Firewall Detects IPv6 Traffic as 'Netprobe'

    grc-dl-nsc-sa

      IPv6 traffic bound for one of our websites is blocked by the firewall as a 'netprobe'. The following error is generated:

       

      "Received a TCP connection attempt destined for a service that the current policy does not support"

       

      Our rule for this site is extremely simple. It uses ports 80 and 443. The Source is <any v6> and the Destination is the webserver's IPv6 address.

       

      Any idea why we'd be receiving this error message?

        • 1. Re: McAfee Firewall Detects IPv6 Traffic as 'Netprobe'
          grc-dl-nsc-sa

          To those that might run into this issue in the future, we have figured out the issue.

           

          I wrongfully assumed that we needed to add the web server's IPv6 address to the External Interface of the firewall. This is how we have it set up in the IPv4 list. All of the external IPv4 addresses are in External interface. Well, this is wrong. The web server's IPv6 address does not need to be listed in the interface at all. It only needs to be added as a 'network object' to be referenced by the firewall rule.

           

          So, back to the firewall rule. The ports are still 80, 443. The Source is <any v6>, the Destination is the web server's IPv6 address. The Source zone is External and the Destination zone is internal. This means that any external IPv6 source is directed through the firewall, internally, to the web server's IPv6 address. That's it. Done.