Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

wwwxxxx.jpeg, xxxxdup, WWWXXX..APC site:board.issociate.de, WWWXXXAPC, WWWXXX .CMD, Wwwwxxx reemine, WWWXXX.VCBA, WWWXXX.VCBA, TheboL.wwwxxxxx, WWWXXXAPC

Links

XODOX
Impressum

#1: Sonicwall "Web access request dropped" Rule 6

Posted on 2004-12-17 16:49:18 by Miara Transportation Information

Recently our Sonicwall SOHO3 began logging some interesting entries that I
don't understand. They all look like this:

Time: 12/17/2004 09:51:32.000
Message: Web access request dropped
Source: xxx.xxx.x.x, 1887, LAN (admin)
Destination: xxx.xxx.x.x, 80, LAN
Notes: Web (HTTP)
Rule: 6


"Admin" is myself, logged into the firewall to check this out. But I've
seen other IP addresses appear with this same "Web access request dropped"
message, and all reference "Rule 6".

So I checked my access rules and this is what I have:

Priority Action Users Allowed Service Source Destination
1 Allow All HTTPS Management LAN xxx.xxx.x.x (LAN)
2 Allow All HTTP Management LAN xxx.xxx.x.x (LAN)
3 Deny All Blaster TCP 135 * *
4 Deny All Blaster TCP 139 * *
5 Deny All Blaster TCP 445 * *
6 Deny All Blaster UDP 69 * *
7 Deny All Blaster UDP 135 * *
8 Deny All Blaster TCP 4444 * *
9 Deny All Blaster TCP 593 * *
10 Allow All Default LAN *
11 Deny All Default * LAN

As an experiment, I dis-enabled number 6, but the log still recorded "Web
access request dropped" messages referencing rule 6. Then I edited the rule
but made no changes. When I "saved changes" the rule became rule number 9
as you see above (the "Blaster TCP 593" was my original rule 6, the one I
dis-enabled moving "Blaster UDP into 6th place). The log is still recording
"Web access request dropped" messages, and referencing rule 6. So, just for
grins and giggles, I turned off "logging" of all the Blaster rules...and my
log still shows "Web access request dropped" Rule 6 activity.

So I'm left with some questions. Clearly, the "Rule 6" that is being
referenced is something other than the Access rule I'm looking at. So what
is it? And where is it defined/modified? How is this "Web access request"
dropping affecting my users? I have had no complaints and noticed no
problem on my own machine even when my own IP address was logged. Also,
these all reference LAN to LAN activity...in what manner is this "Web
(HTTP)"?

Because I've noticed no degradation of service this would be no big
deal...if it wasn't for the fact that my whole log is filling up with these
damned things, a new notification every few seconds.

Thanks in advance for any help.

Report this message