Hi,
we have a mailserver sitting behind a FG200B, FG is running Firmware 4 MR1 Patch 4 Build 196.
We have created a VIP and a firewall policy to lead all traffic coming into the FG at
port 110 and 25 to our mailserver. That works without any problem. We also attached
a protection profile to that rule. That profile includes a IPS-sensor with some rules
to protect the mailserver. One of those rules is the POP3.login.failed rule.
For testing I have a testmaschine outside of our network.
When I try to connect to our mailserver from the testmaschine and use wrong credentials i see in the
FG-logs, that a failed login occured and in the webui under user i also see the IP
address being banned. That' s a wanted behavior.
Now to the strange thing. Although the ip I use is banned im still able to connect to
the server. I' m also able to input credentials and the mailserver is answering
according to my inputs. The computer i was trying to connect from has also a
POP3 service running. So i tried to connect from our Mailserver to this
testmaschine and i was not able to get connected. When i delete the banned ip, i
can connect from the testclient to the server and vice versa. So i think the ban
procedure bans the wrong way.
For testing purpose i tried another rule, the POP3.Unknown.Command rule. When
i connect from the testmaschine to our server and use just some " Enter" -
commands the FG correctly detects, that there where unknown commands flown
to the server and installs a blocking rule. I can see it under user->banned IPs.
And now am not able to connect from the testmaschine to the mailserver any
more. That' s the behavior i also want to happen from the Failled.Login rule.
Can anyone explain this to me? Or is anyone able to reconstruct that behavior?
thanks in advance
i. hoffmann