Video Screencast Help

What is the priority of firewall policy, IPS and customized IPS?

Created: 06 Dec 2012 • Updated: 06 Dec 2012 | 5 comments
This issue has been solved. See solution.

I am testing customized IPS to drop some traffic.

there is a software using UDP to send login info to server, and if UDP is blocked, then it uses TCP to send login info.

I can block UDP port it uses because it is not a common port, but the tcp ports 80/443 it uses which can not be blocked.

and  it is not a good solution to block the server's DNS name or IP, because the server list always changes.

so i think if i can use customized IPS to drop the login info package.

and I do succeed to drop TCP package but fail to drop UDP package.

my test:

If I use default firewall policy, and apply customized IPS, the software can login.

If I use default firewall policy but just add a BLOCK ALL UDP rule ahead Allow ALL APPS rule, and apply customized IPS, then the software fail to login.  and i can see in IPS logs that drop the TCP login info package.

so i am confused what is the priority of firewall policy, IPS and customized IPS? 

if firewall policy is higher, customized IPS will do nothing.

if customized IPS is higher, i should be able to see in IPS logs that drop UDP and TCP package.

my customized IPS are:

------------------------------

rule udp, dest=(xxxx),msg="DROP XXX UDP LOGIN",content="\x01\x01\x01"

rule tcp, dest=(80,443),msg="DROP XXX TCP LOGIN",regexpcontent="\x01\x01\x01" (58,3)

------------------------------

so if there is someone can give me an answer?

thanks in advanced.

 

Comments 5 CommentsJump to latest comment

.Brian's picture

Check this KB article:

About the firewall rule, firewall setting, and intrusion prevention processing order

https://www.symantec.com/business/support/index?pa...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
Leo Young's picture

THANKS..

Ok. Now I know that custom IPS is the first priority.

so is there anything wrong with my custom IPS setting?  why it can not drop my UDP package as i want?

.Brian's picture

What version are you running?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Leo Young's picture

After I remove "content" from my UDP custom IPS, it works.

So I think I did not get the right data segment of UDP package to drop.