Troubleshooting blocks in NG Firewall using Reports
NG Firewall is a complex piece of software with many moving parts! It can sometimes be difficult to determine exactly which component is affecting your traffic. This guide should help you narrow things down.
First step: try a test bypass
The very first step to take will be to determine if the traffic is being blocked by one of the NGFW's layer-7 applications. Follow this process to bypass the device you're testing from: How to bypass traffic from filtering
If your connection still doesn't work correctly, it's not being blocked by an NGFW application. In that case, you may wish to contact Support for further assistance.
If bypassing allows it to connect properly, then read on for troubleshooting steps.
Next step: check Reports for app blocks
Now, we'll need to determine what NGFW application is affecting your traffic. To do that, you'll want to generate some example traffic to use in looking through Reports:
- Grab the IP address of the computer you're testing from
- Note the time
- Try to connect however you normally would (open the app, click a "connect" or "refresh" button, &c.)
Next, go to Reports in the blue bar at the top of the screen. In the top left-hand corner, click Add next to Conditions, and select Client. Next, add the device's IP address in the field at the bottom:
This will filter any Report you view down to just traffic originating from that single IP address.
Finally, click "Today" next to Since and select "1 Hour ago":
Now any Report we view will only show us very recent traffic from that device, which will help us narrow down what's acting on that traffic.
Best place to start is Reports > Network > All Sessions, which shows us nearly everything the NGFW knows about a particular session. You may need to expand the Details pane at the right-hand side of the screen; it's sometimes collapsed/hidden by default. You can also add additional columns to the Report view: Formatting and search tools for Reports
We also recommend checking Reports > Web Filter > Blocked Web Events if you're looking for port 80 or 443 traffic, as that data isn't included in the All Sessions report.
Once you've located the app(s) that is blocking that traffic, you'll be able to create rules within that specific app to ignore that traffic (which should allow this connection).
What if no apps report a block?
If no applications appear to be blocking this traffic, the next step would be to disable applications individually, testing the connection after each app. Once you've found the app that's filtering that traffic, you can create rules in that app to ignore it.
What if no app fixes it?
NGFW operates in two "stages": the layer-3 functions (everything found under Config) and the layer-7 Untangle Virtual Machine, or "UVM". Sometimes traffic breaks during the passing to or from the UVM. Unfortunately, the only solution for this is to create a Bypass Rule(s) for this connection, as any bypassed traffic is never handed off to the UVM at all.
In a case like this, the most effective method would be to narrow down this traffic using any criteria you can find: specific server IP(s) it connects to, a unique port it uses, &c.Follow
Please sign in to leave a comment.