topic Re: ASA - Orphaned Traffic in Network Security

ASA - Orphaned Traffic

asidd — Sun, 06 Sep 2020 05:48:15 GMT

Hi All,

I have separate bidirectional rules in my firewall (ASA 5545-X) for different applications (including VoIP). What is puzzling here is if i capture logs for the traffic coming from OUTSIDE (of firewall) back into the segmented environment i am seeing entries that should have been logged under inside interfaces initiating those connections. Reason why i am saying that: i am seeing a lower end source port session logged under the OUTSIDE interface with a higher end DP. Examples:

SA: 10.100.11.20, SP: TCP(88) , DA=10.47.10.42, DP(50014 to 65408)

SA: 10.100.11.20, SP: UDP(53) , DA=10.47.10.37, DP(58146)

Is the firewall closing the session so it gets logged under a new session under OUTSIDE. Is there a timer issue here i need to check where it waits for a response and if it doesnt see it under a specific amount of time it will log it against the OUTSIDE rather than associating it to a session built from Inside (10.47.x.x)

Re: ASA - Orphaned Traffic

Mohammed al Baqari — Sun, 06 Sep 2020 07:15:44 GMT

Hi,

Do a full packet capture to see the entire flow. I have seen this with smb
traffic where the connections are not closed properly at the server side
while they are already close at client side. This makes responses from
server appear as new conn on firewall especially if they have SYN flag.

*** please remember to rate useful posts

Re: ASA - Orphaned Traffic

asidd — Sun, 06 Sep 2020 08:52:16 GMT

Thanks for the feedback. A quick question. Wouldn't firewall be independent of the client side closure. It is a transit device with it's own timeouts. Also i am seeing it on many different types of traffic SMB, DNS, LDAP etc. Every second or third flow is like this. This is happening so often that it looks like this is normal behaviour.

Re: ASA - Orphaned Traffic

asidd — Tue, 08 Sep 2020 06:25:21 GMT

Any further comments on these from any experts out there?