Re: NGFWv blocks all traffic after speedtest (ookla)

istr · ‎11-23-2018

Hello,

as the subject implies, whenever i perform an ookla speedtest (http://www.speedtest.net) on any host of my internal network, the following situations occur:

1. at first the download speed decreased gradually and thereafter all internet traffic was blocked for some minutes.

2. later on i added a specific rule to trust speedtest and speedtest upload applications. the situation got better but the result was the same: after upload finishes all internet traffic is blocked.

Seems as if the firewall treats the traffic as some kind of attack.

The configuration is quite simple:

- NGFWv latest edition on vsphere (ESXi) 6.5

- only 2 interfaces and zones used (incoming & outgoing)

- the security policy consists only of one default rule (all traffic from inside to outside is allowed). BTW i have also used "trust" instead of "allow" without effect. i have also added the other more specific rule mentioned above without significant improvement.

Is there some more specific action i should take to prevent this temporary blocking?

Any help would be helpful!

Marvin Rhoads · ‎11-23-2018

Have you setup a network discovery policy and defined your $HOME_NET and $EXTERNAL_NET in the object definitions?

Have you set your ACP to log connections? If so, what does FMC show under Analysis > Connection Events?

istr · ‎11-23-2018

Hello,

i forgot to mention that i am using local management (FDM) and not FMC. Unfortunately FMC usage is not possible, we are using our FMC to manage our production firewall and due to problems with the installation (instability etc), it is temporarily not possible to add another device, nor do we wish to do so, as the NGFWv is supposed to be managed with FDM only (lab environment & PBR).

On the other hand, in the monitoring menu i don't see any deny statements and this is what caused me to post my question initially, because i couldn't find any clue in the logs!

When i try to access ordinary web sites everything is OK! However, whenever i try to perform the well known speedtest (either from linux or windows hosts), the download speed increases quickly and then gradually drops. Eventually, all hosts in the network are temporarily denied acces to the internet for a few minutes (i have a ping -t running which proves that).

Marvin Rhoads · ‎11-24-2018

You can monitor the traffic in real time from the cli. Use "system support firewall-engine-debug" command and specify a flow/ping you have running. Then run your speed test and see if the results change.

istr · ‎11-24-2018

Hello Marvin, thank you for you reply!

Given the fact that i only have 1-2 hosts in the inside network (yet), i have the feeling that the "system support firewall-engine-debug" command output is quite close to real time. This is very useful, if there were lots of connections it would be more difficult!

However, as far as the output itself is concerned, i haven't been able to extract something useful...everything seems OK. At (about) the time of internet access blockage, the output is something like this:

10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got start of flow event from hardware with flags C0000001
10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got end of flow event from hardware with flags C0000001
10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got start of flow event from hardware with flags C0000001
10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got end of flow event from hardware with flags C0000001
10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got start of flow event from hardware with flags C0000001
10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got end of flow event from hardware with flags C0000001

>>>>>>>>>>>>>>>>>>> THIS IS WHERE THE PROBLEM OCCURS! <<<<<<<<<<<<<<<<<<<<<<

10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got start of flow event from hardware with flags C0000001
10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got end of flow event from hardware with flags C0000001
10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got start of flow event from hardware with flags C0000001
10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got end of flow event from hardware with flags C0000001
10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got start of flow event from hardware with flags C0000001
10.65.15.11-8 > 1.1.1.1-0 1 AS 1 I 3 Got end of flow event from hardware with flags C0000001

On the other hand, i tried other tests also and exactly the same occurs-but not in every case: I have the feeling this happens due my high-throughput broadband connection (1Gbps download / 1Gbps upload), because when i perform speedtests on other related sites that cannot sustain such high throughput, then there is no problem, ie no blocking appears!