Why isn't firewall blocking sites
I have a firewall on version 220.127.116.11-53n with the external port assigned a public address and a subnet mask of 255.255.255.240. While the external port has a static IP, many of the IP addresses in the range are NATTED to internal IP addresses. I created an object group called "Denied Sites" with a number of different IP address ranges (mostly class C) included in the group, then set up a rule (priority #1) with the criteria below:
Interface: X1 and zone WAN
Rule Priority 1
From Zone: WAN
To Zone: Any
Source: Denied Sites
Source Port: Any
This rule occasionally blocks one of the addresses in the object group, however most traffic with the same source and destination IP addresses and the same other criteria are not blocked. The firewall logs show that traffic from many of the IP addresses in the "Denied Sites" group make a connection and the connection closes. The firewall action states "NA". When the rule does block, the firewall action states: "Dropped".
Can someone explain either what I have set up incorrectly or why the firewall is not blocking every packet when the source IP address is in the Denied Sites group? CPU utilization is less than 40% and bandwidth utilization on the external port is low.
You can try creating individual rules for each subnet you wish to block. But it has been previously discussed on the forum that the reporting of connection drops isn't consistent. Unless the firewall action is "Allow" than it is implied the connection doesn't complete.
I personally never user the "any" Zone - Maybe the issue is there.
You could try to set the destination Zone for example to LAN (or where your natted desintations are)