Logging traffic denied due to no protocol definition (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client



Message


KevinSawyer -> Logging traffic denied due to no protocol definition (26.May2004 6:53:00 AM)

Given the following:
1) an ISA Server 2000 SP2 FP1 in integrated mode with private LAN interface address 192.168.1.1/24 and an Internet connection (public IP address) on another interface with everything working as expected,
2) Secure NAT client exists with address 192.168.1.2/24,
3) a Client Address Set exists which contains the address of this Secure NAT client,
4) Access Policies include both a Site and Content Rule which allows this Client Address Set to access All Destinations as well as a Protocol Rule which allows this Client Address Set to access All IP Traffic, and
5) IP Routing is enabled.

If/when the Secure NAT client attempts to make outbound connections that do not match a Protocol Definition and therefore the connection request is not permitted, where is this activity logged? If it is not logged or can't be logged using facilities within ISA Server, why not? This would seem to be a very standard "feature" much like logging traffic denied by packet filter rules. It would be nice (at the very least) to see any/all outbound connection attempts by Secure NAT clients...not just those that are permitted because they match a Protocol Definition.

Who's idea was it to force Secure NAT clients to match a Protocol Definition? "All IP Traffic" when applied to a Protocol Rule for the Client Address Set containing the Secure NAT clients should me exactly that. It should not mean "All IP Traffic as long as it matches a Protocol Rule."

Comments, please! Thank you...

--Kevin




spouseele -> RE: Logging traffic denied due to no protocol definition (26.May2004 8:41:00 PM)

Hi Kevin,

for the logging, check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=14;t=000067 .

If you use the 'all IP traffic' in a protocol rule (we called it often an open protocol rule), the SecureNAT and Firewall client will behave differently. For a SecureNAT client 'all IP traffic' means all defined protocol definitions. However, for a Firewall client 'all IP traffic' means all TCP/UDP based protocols, whether they are defined or not. This is by design. [Big Grin]

HTH,
Stefaan




KevinSawyer -> RE: Logging traffic denied due to no protocol definition (26.May2004 9:25:00 PM)

I realize that the behavior was by design...I just can't imagine WHY anyone would want that design ("All IP Traffic" should always mean "All IP Traffic"...not just on weekends and holidays and all throughout May...you know what I mean). The lack of logging for SNAT traffic that is denied is also quite disappointing. What we have here is one rather lame "design idea" that was included coupled with one rather customary/reasonable "design idea" that was omitted. I'll give the script a try. Thanks for the feedback.

--Kevin




spouseele -> RE: Logging traffic denied due to no protocol definition (26.May2004 9:36:00 PM)

Hi Kevin,

I know very well that ISA server 2000 has some very annoying limitations. However, the product can only become better and better. [Big Grin]
Take a look at the evolution: Proxy -> Proxy2 -> ISA 2000 -> ISA 2004 -> ??? [Cool]

Thanks,
Stefaan




Page: [1]