topic Re: getting traffic after the interface is down in General Topics

getting traffic after the interface is down

FarhanKoujalgi — Fri, 23 Jul 2021 12:48:20 GMT

Hey guys hope you doing well I got a question I get a challenge one of my user getting traffic logs of NetBIOS by source Pvt IP from LAN to WAN the device from the source side is down the 2 Pvt IP still hitting the cleanup rule. The Policy is denied by the firewall but why do the traffic logs show the two source IP which is down from that side. is that any command to clear cache or something please help. and In-application is NetBIOS-ns.

Re: getting traffic after the interface is down

BPry — Fri, 23 Jul 2021 18:31:31 GMT

@FarhanKoujalgi,

If you look at the detailed log information is the start_time actually associated with when these clients are known to be down? The logs are probably just session_end logs that are being generated after the firewall closes the session.

Re: getting traffic after the interface is down

FarhanKoujalgi — Fri, 23 Jul 2021 19:23:03 GMT

Dear @BPry

The interface from the source side is down so why am I getting logs of netbios hitting to deny rule

I check the logs time by the time it's generated in a gap of 2 5 minutes.

if that side of a link is down then why the firewall show us a log of netbios

Re: getting traffic after the interface is down

FarhanKoujalgi — Fri, 23 Jul 2021 19:23:21 GMT

The interface from the source side is down so why am I getting logs of netbios hitting to deny rule

I check the logs time by the time it's generated in a gap of 2 5 minutes.

if that side of a link is down then why the firewall show us a log of netbios

Re: getting traffic after the interface is down

Remo — Sun, 25 Jul 2021 16:48:03 GMT

Is this a single firewall or a cluster? I agree it does not make sense that there are logs when the interdace is down, but did you really rule out any possibility of this? Was the interface effectively down or did it maybe come back already or at least for a short time? Did you check what @BPry asked for - check the detailed logs to see the start time? Is it possible that the start time was prior to the interface down? Was there maybe an application change in the connection - the firewall allowed a few packets, then the interface went down, then anwer packets reached the firewall wan side and them the firewall was able to see netbios so the connection was denied.