Results 1 to 6 of 6
  1. #1
    Untanglit
    Join Date
    Sep 2017
    Posts
    22

    Default Rules Applying Improperly?

    It seems that rules are not being applied properly or they don't work as I assumed.

    I have two rules established to pass certain traffic and flag it.

    Rule 1. Protocol ===> UDP * Destination Port ===> 123

    Rule 2. Destination Address ===> [xxx.xxx.xxx.xxx] * Source Address ===> [xxx.xxx.xxx.0/24] * Destination port ===> 443 * Protocol ===> TCP,UDP * Source Interface ===> External 1

    With the above rules enabled, I am seeing 100% traffic, both internal and external, being ID'd by one of the rules. Most of the traffic isn't even over port 443 or 123 and isn't related to the IP addresses in RULE 2.

    Perhaps as a side effect, I am also seeing all traffic assessed as High Risk now being passed.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,959

    Default

    First rule match wins, no rules for any session are processed past the first match.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untanglit
    Join Date
    Sep 2017
    Posts
    22

    Default

    I understand that Rules are evaluated in order and the action from the first matching rule is used to route the matching session. So a session will cascade through the rules and route according to the rule it matches. I am seeing all sessions matched to rules that they don't match in any way. It doesn't make sense that a session be identified under a rule that it doesn't match.

    By default, Threat Prevention blocks any sessions that match the Reputation Threshold of High. I had assumed that if sessions did not match a configured rule the already configured Reputation Threshold would be the catch-all, but this is not how it is behaving. It appears that once a rule is configured it no longer uses the already configured Reputation Threshold.

    I'm probably overlooking something simple here, but the behavior I've mentioned above makes no sense to me.
    Last edited by ryan.haver; 03-13-2020 at 12:05 PM.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,959

    Default

    We need screen shots of the rules that aren't working the way you think they should, as well as a screen grab of some logs to go with that behavior. From there we can figure out the configuration error.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    May 2018
    Posts
    58

    Default

    Thanks for the feedback Ryan and help, sky-knight. We are looking at Rule behavior here and what you're seeing could be a symptom of this. And yes, we appreciate it if you can share screen shots of rules, and the resulting logs if you come across potential issues.
    Heather P
    Untangle Product Team

  6. #6
    Untanglit
    Join Date
    Sep 2017
    Posts
    22

    Default

    Thank you for the additional information @hpaunet

    Thanks for always being willing to help @sky-knight

    At the moment I don't have a lot of time to troubleshoot this. I've disabled all the rules for now due to the unexpected behavior. I'll have to revisit this in a few weeks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2