Why isn't firewall blocking sites

JAX

I have a firewall on version 6.5.4.5-53n with the external port assigned a public address and a subnet mask of 255.255.255.240. While the external port has a static IP, many of the IP addresses in the range are NATTED to internal IP addresses. I created an object group called "Denied Sites" with a number of different IP address ranges (mostly class C) included in the group, then set up a rule (priority #1) with the criteria below:

Interface: X1 and zone WAN

___________________________

Rule Priority 1

From Zone: WAN

To Zone: Any

Source: Denied Sites

Source Port: Any

Destination: Any

Service: Any

Action: Deny

This rule occasionally blocks one of the addresses in the object group, however most traffic with the same source and destination IP addresses and the same other criteria are not blocked. The firewall logs show that traffic from many of the IP addresses in the "Denied Sites" group make a connection and the connection closes. The firewall action states "NA". When the rule does block, the firewall action states: "Dropped".

Can someone explain either what I have set up incorrectly or why the firewall is not blocking every packet when the source IP address is in the Denied Sites group? CPU utilization is less than 40% and bandwidth utilization on the external port is low.

TKWITS

You can try creating individual rules for each subnet you wish to block. But it has been previously discussed on the forum that the reporting of connection drops isn't consistent. Unless the firewall action is "Allow" than it is implied the connection doesn't complete.

SimonT

I personally never user the "any" Zone - Maybe the issue is there.

You could try to set the destination Zone for example to LAN (or where your natted desintations are)