Dropped by filter: Shielded Main Rule, Shielded Main Rule.
Hi,
enabled a firewall for a client computer from withsecure elements, and now I cannot ping that machine.
log says 22-06-27 14:36:54.633 [2f60.2154] I: Type: FWPM_NET_EVENT_TYPE_CLASSIFY_DROP. Dropped by filter: Shielded Main Rule, Shielded Main Rule. Dropped by layer: ALE-vastaanoton/-hyväksymisen v4-kerros. Direction: outbound. Local port: 8. IPv4 local address: 10.11.23.1. IPv4 remote address: 10.11.22.36. Protocol: ICMP(1). Application: System. User SID: S-1-5-18.
The default rules are in place, which allow all the outgoing traffic. What is this Shielded Main Rule, and how to get around it?
Best Answer
-
Hi @hyvokar2
Thank you for sharing this additional information. It appears we need to analyze the logs in order to perform additional checks. Nevertheless, I see that you've already reported the problem in support ticket 046XXX42. My colleague who works on support will analyze the logs and offer assistance.
1
Answers
-
WSEEP Admin guide does not have a word about "Shielded Rules", or "Main Rules"
0 -
Hi @hyvokar2
The "Shielded Rule/Mode" is more related to windows firewall components. However, the error FWPM_NET_EVENT_TYPE_CLASSIFY_DROP issued by Windows Firewall with Advanced Security is related to Stealth mode. The stealth mode silently drops outgoing ICMP unreachable and TCP reset message, to prevent port scanning. This functionality responds when there is no process listening on the port, which is targeted by the incoming request/traffic.
For more information about this functionality, please refer to this Microsoft Technet article.
1 -
Hi Sethu, thank you for your reply.
I'll take look into this.
Just a note, the article you linked says
" Important
Network packets dropped by the stealth mode feature are not logged."
In my case, these packets are logged
0 -
Not sure if this had something to do with stealth mode, but I disabled "Block all inbound connections" from test profile. I guess this will block even connection, that are specified below as allowed.
Anyways,
the ping thing was resolved, after removing 0.0.0.0/0 from inbound connection for icmp traffic. Not sure if this is expected behavior.
0
Categories
- All Categories
- 4.7K WithSecure Community
- 3.6K Products
- 1 Get Support