Hello all,
I am trying to cut down on useless chatter in the log, specifically from Checkpoint Firewalls that sit in front of TMG Arrays.
Log entry as follows (occurs on both internal and external interfaces) :
| Denied Connection | xxxxxxxxx 25/07/2013 15:42:06 |
|---|---|
| <id id="L_LogPane_LogType">Log type:</id><id id="L_LogPane_FirewallService">Firewall service</id> | |
| <id id="L_LogPane_Status">Status: </id>A packet was dropped because Forefront TMG determined that the source IP address is spoofed. | |
| <id id="L_LogPane_Rule">Rule:</id>None - see Result Code | |
| <id id="L_LogPane_Source">Source:</id>0.0.0.0:8116 | |
| <id id="L_LogPane_Destination">Destination:</id>Internal (x.x.x.x:8116) | |
| <id id="L_LogPane_Protocol">Protocol:</id>[Enterprise] xxx Checkpoint Clustering [UDP8116] | |
| |
Additional
information This traffic is expected as it is normal between Checkpoint firewalls. I can't figure out the right combination of settings, though, to keep this out of the log. The problem seems to be with the source IP being 0.0.0.0 - I can't add that to any network nor define it as a computer object. I tried making an access rule matching the protocol, but, seems this is picked up as spoofing so does not get that far in rule processing.
Any ideas?
Thanks in advance,