Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 28 subscribers
  • Views 8164 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG reporting problems yet again ... Firewall accepting forbidden traffic.

Big_Buck

Hello Everyone.  I posted few month ago that a "clean up rule" so common on competitive firewalls cannot be on Sophos XG, without causing reporting issues. 

Here: https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/98440/clean-up-rule-from-any-to-any-drop-that-s-allowed-on-the-internet-anyway-wtf 

We are told the firewall behaves properly no matter what, but users have no easy or practical means of knowing.  Well here's another one.  The following is a rule we have in our firewall. Rule no 6 that allows SMTP and SMTPS traffic into our Anti-Spam.

"SMTP,  WAN towards our Anti-Spam" server, from WAN to LAN, allow "SMTP (port 25) and SMTP(s) (Port 587)".  Simple, right ?  "ext-ip xxx.xxx.xxx.xxx" is the Internet (i.e. valid and NATed) address. int_ip is the internal address for the same Anti-Spam server.  



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    This post is clearly just about that. Un-allowed udp 123, 80, 443 and all traffic.  That said, you have an idea how this could happen ???  How can I rely on XG now ???  This is cybernical swiss cheese !!!

  • 0 in reply to Big_Buck

    I agree and that is why I would like to see the whole rule so that wiser eyes than mine might review it.

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    tried to reproduce it, but no luck here on 3 appliances.

     

    Appliance is blocking everything except 25 and 587 from Client to WAN.

    2018-04-10 10:24:02 0101021 IP 192.168.100.50.51736 > 8.8.8.8.443 : proto TCP: S 1375871700:1375871700(0) win 29200 checksum : 27773
    0x0000: 4510 003c 77ea 4000 3f06 8ed7 c0a8 6432 E..<w.@.?.....d2
    0x0010: 0808 0808 ca18 01bb 5202 22d4 0000 0000 ........R.".....
    0x0020: a002 7210 6c7d 0000 0204 05b4 0402 080a ..r.l}..........
    0x0030: 9e9b 5542 0000 0000 0103 0307 ..UB........
    Date=2018-04-10 Time=10:24:02 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev=PortB inzone_id=3 outzone_id=2 source_mac=00:0c:29:21:4f:78 dest_mac=00:0c:29:5b:cf:27 l3_protocol=IP source_ip=192.168.100.50 dest_ip=8.8.8.8 l4_protocol=TCP source_port=51736 dest_port=443 fw_rule_id=0 policytype=0 live_userid=1 userid=12 user_gp=8 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=1137654688 masterid=0 status=256 state=1 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

     

    No "allowed Packets" in Logviewer. 

     

     

  • 0 in reply to LuCar Toni

    Hello ManBearPig.  Two things.  First the rule you show totals 0 (zero) bytes in and out.  Is that normal ?  Seconds, I filtered logs using "Firewall Rule is 6".  If I do not do so, it becomes very hard to find those errors.