I have a firewall issue that I haven't been able to figure out. I've been going back and forth with support via email on it, but I don't think they are understanding my question. Perhaps the community has some insight.
The question is, why are packets failing to match a connection state=established rule for an active flow?
In the below screenshot, I have highlighted rules 73, 74, and 79. Rule 79 (logging with prefix !!!) matches on source port 80 and 443, so this would typically match the return traffic of an active session. I expect no packets to match rule 79. I expect all return traffic with source port 80 and 443 to match rule 73 (and 74 if traffic is "related"). As you can see in the log however, a lot of traffic is matching rule 79. Curiously, almost all packets have a length of 52. This indicates to me that the packets are probably ACKs with no payload. This may be a curiosity, or it may be indicative that ACKs with no payload do not match the established=yes rule at 73.
The below screenshot shows that there is an established session where a packet did not match rule 73 and was logged.
Please share your thoughts and ideas on this behavior.
Thanks