LevelBlue Named Official Cybersecurity Advisor of the PGA of America. Learn more

LevelBlue Named Official Cybersecurity Advisor of the PGA of America. Learn more

Services
Cyber Advisory
Managed Cloud Security
Data Security
Managed Detection & Response
Email Security
Managed Network Infrastructure Security
Exposure Management
Security Operations Platforms
Incident Readiness & Response
SpiderLabs Threat Intelligence
View All Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Operational Technology
End-to-end OT security
Microsoft
Unlock the full power of Microsoft Security
Securing the IoT Landscape
Test, monitor and secure network objects
Why LevelBlue
About Us
We reduce cyber risk and build resilience
Awards and Accolades
The most recognized cybersecurity leader
LevelBlue SpiderLabs
Elite global threat experts and intelligence
PGA of America Partnership
Cybersecurity at the championship level
Secure What's Next
Future-proof your organization
LevelBlue Security Operations Platforms
Unprecedented security visibility and control
Security Colony
Cybersecurity threat protection resources
Partners
Microsoft
Unlock the full power of Microsoft Security
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
Loading...
Loading...

LevelBlue Knowledge Base

Home » Knowledgebase » Legacy Products » Web Filter (R3000) » INFO: Installed new firewall, and now users aren't getting the...

INFO: Installed new firewall, and now users aren't getting the block page

Expand / Collapse
Show/Hide Article Tools


This article applies to:

  • R3000

Question:

Installed new firewall, and now users aren't getting the block page

Reply

Question:  After installing a new firewall, users are still getting filtered--they're not able to access blocked sites--however, they're NOT getting the block page?  Why?

The most likely scenario is that your new firewall has IP anti-spoofing enabled, and is dropping spoofed packets from the R3000(s).

When a user goes to a blocked site, the R3000 sends back an HTTP 302 redirect (redirecting the workstation to the block page), while SPOOFING the IP address of the blocked site.  This is meant to trick the workstation into believing that the redirect came from the blocked site.

The workstation then requests the block page from the R3000 (or if you're using a custom block page, from your web server).

If your firewall has IP anti-spoofing enabled, it is likely dropping these HTTP 302 redirect packets from the R3000.  (The packets are sent from the R3000's admin/block page interface, not the listening interface).

Try disabling IP anti-spoofing on your firewall and then see if you can get the block page.  Most firewalls will allow you to keep IP anti-spoofing turned on, but ALLOW spoofing from specific servers (e.g. the R3000).



This article was previously published as:
8e6 KB 300313

To contact LevelBlue about this article or to request support:

Rate this Article:
     
Tags:

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster.


Execution: 0.031. 8 queries. Compression Disabled.
Powered by InstantKB.NET