Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 28 subscribers
  • Views 5604 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dropped packet rule traffic not shown on Firewall rules in/out calculation.

Greg Grotsky

I am new to the Sophos XG Firewall; so, I apologize if I'm asking dumb questions. I created my last rule as a catch-all drop rule to cover the traffic that I had not accounted for in my rule set.

Questions:

  1. In the log, I see a column called "Firewall Rule". Does this rule represent the "Firewall ID" value in the Firewall rules list?
  2. I thought it did but when I filter the logs to only show the catch-all rule Firewall ID number I see some packets that are "Allowed" and some that are "Denied". How can that be possible if they are both listed as my catch-all drop rule?
  3. Should dropped traffic (in/out) be shown on the Firewall Rules screen? I see all my allowed rules traffic counting up as devices make connections but the drop rules traffic is stagnant even while I watch the log record items that list Firewall ID of the catch-all rule. I have "Log Firewall Traffic" selected in all my rules.

Thanks,

-Greg



This thread was automatically locked due to age.
  • 0

    Hi Greg,

    you do not need a catchall block rule at the bottom of your rule list, the XG blocks all packets that do not match a rule by default.

    Ian

  • +1 in reply to rfcat_vk

    Perfect, thanks for the response Ian. I also found this article last night but I wasn't sure if the verbiage applied to the XG Firewall software:

    "When traffic is detected, firewall rules are checked in order, by position, until the first matching rule is found. If no matching rule is found, the packet is dropped and logged by the default drop rule. For this reason, the order of rules is important. Generally, more specific rules should come before more broad rules. For example, if you wished to allow traffic over a certain port from one host, but block that port for all other hosts, the allow rule for a single host should be listed before the blocking rule for all other hosts."