Particular IP has been blocked

[sridharraj80]

Hi Guys ,

Yesterday I have faced a peculiar issue.

I have allowed a http and https request for a range of IP address(This was working since a month ). From yesterday one IP from this range is droped in the firewall for http and https request. I have tried swapping the IP with some other machine and still it is not working. This is again matching the cleanup rule and droping.

Anyone faced with similar situtation. What will be the root cause of this problem. Can one please help to solve this problem

Sridhar

[RayPesek]

Can you detail how the rule and objects are set up, and which version & HFA level you're on?

If these are public IP addresses, fell free to block out the first part if needed for confidentiality.

Ray

[MarioL]

Could it be that you somehow blocked that IP on SAM? I think if that was the case it should drop as rule 0, but hey, no harm done in checking I guess.

When you are viewing active connections on the "SmartView Tracker", there is an option that allows you to block intruders, "Tools->Block Intruder". This doesn't show on rules, but would cause the traffic to drop.
The option below that one "Clear Blocking" should remove the blocking.

If this isn't the problem, this is what I would do:
1 - Create a specific rule for that IP alone, just like the "normal" rule and place it above, with log
2 - Try the access again and check results
3 - Check logs

[sridharraj80]

Hi ,

The rule is like this..

<172.x.x.x-172.x.x.x><ANY><ANYTraffice><http,https><Accept><L og>.

Version NG with R55 Build 127.

Thanks
Sridhar

[chillyjim]

Have you tried to reinstall policy?

Is anything showing up in the logs?

[sridharraj80]

Hi ,

I have explicitily allowed the particular IP also . Even then it is not working .

sridhar

[MarioL]

What rule is dropping the traffic? Don't want to doubt you, but check the number, it may not be the clean up.

You might want to check my previous post too. Everything you say makes me think SAM, but...

[abusharif]

check sam table on the module(s)

fw tab -t sam_blocked_ips -f

[lnx32]

I had a similar issue this week where the firewall was rejecting traffic outbound from one of my mail servers. It only effected one of them. The other one was working just fine. I checked the active log and saw that the sam rule was in effect for this particular reject. I checked the active connections and selected the reject. I then cleared the block intruder section in Tools and it cleared up the problem!

I still don't know how this was marked as block intruder in the first place though but the clearing in the active log did in fact work!!!!