Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 28 subscribers
  • Views 8164 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG reporting problems yet again ... Firewall accepting forbidden traffic.

Big_Buck

Hello Everyone.  I posted few month ago that a "clean up rule" so common on competitive firewalls cannot be on Sophos XG, without causing reporting issues. 

Here: https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/98440/clean-up-rule-from-any-to-any-drop-that-s-allowed-on-the-internet-anyway-wtf 

We are told the firewall behaves properly no matter what, but users have no easy or practical means of knowing.  Well here's another one.  The following is a rule we have in our firewall. Rule no 6 that allows SMTP and SMTPS traffic into our Anti-Spam.

"SMTP,  WAN towards our Anti-Spam" server, from WAN to LAN, allow "SMTP (port 25) and SMTP(s) (Port 587)".  Simple, right ?  "ext-ip xxx.xxx.xxx.xxx" is the Internet (i.e. valid and NATed) address. int_ip is the internal address for the same Anti-Spam server.  



This thread was automatically locked due to age.
Parents
  • 0

    Here is a recent log from our XG firewall: 

  • 0 in reply to Big_Buck

    OK.  Rows with vertical dots means many rows that repeats itself.  For the sake of simplicity, I removed them.  What I understand is that this rule 6 allow ONLY  SMTP (25), and SMTPS (587) traffic.  Why do I see 80, 443, ICMP, 123, etc traffic ???

  • 0 in reply to Big_Buck

    Hi,

    there would appear to be something wrong with that rule because you are seeing outgoing traffic using that rule.

    Please post an expanded copy of the rule.

    Thank you 

    ian

  • 0 in reply to rfcat_vk

    Hello.  It is a reflective rule ...  Bi directional SMTP(s) traffic is normal in this case ...  But all other traffic is not ...

  • 0 in reply to Big_Buck

    Hi Big_Buck,

    it is not the smtp/s traffic outgoing that is the issue it is the udp 123 and 80 and 443 etc.

    Ian

  • 0 in reply to rfcat_vk

    This post is clearly just about that. Un-allowed udp 123, 80, 443 and all traffic.  That said, you have an idea how this could happen ???  How can I rely on XG now ???  This is cybernical swiss cheese !!!

  • 0 in reply to Big_Buck

    I agree and that is why I would like to see the whole rule so that wiser eyes than mine might review it.

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    tried to reproduce it, but no luck here on 3 appliances.

     

    Appliance is blocking everything except 25 and 587 from Client to WAN.

    2018-04-10 10:24:02 0101021 IP 192.168.100.50.51736 > 8.8.8.8.443 : proto TCP: S 1375871700:1375871700(0) win 29200 checksum : 27773
    0x0000: 4510 003c 77ea 4000 3f06 8ed7 c0a8 6432 E..<w.@.?.....d2
    0x0010: 0808 0808 ca18 01bb 5202 22d4 0000 0000 ........R.".....
    0x0020: a002 7210 6c7d 0000 0204 05b4 0402 080a ..r.l}..........
    0x0030: 9e9b 5542 0000 0000 0103 0307 ..UB........
    Date=2018-04-10 Time=10:24:02 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev=PortB inzone_id=3 outzone_id=2 source_mac=00:0c:29:21:4f:78 dest_mac=00:0c:29:5b:cf:27 l3_protocol=IP source_ip=192.168.100.50 dest_ip=8.8.8.8 l4_protocol=TCP source_port=51736 dest_port=443 fw_rule_id=0 policytype=0 live_userid=1 userid=12 user_gp=8 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=1137654688 masterid=0 status=256 state=1 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

     

    No "allowed Packets" in Logviewer. 

     

     

  • 0 in reply to LuCar Toni

    Hello ManBearPig.  Two things.  First the rule you show totals 0 (zero) bytes in and out.  Is that normal ?  Seconds, I filtered logs using "Firewall Rule is 6".  If I do not do so, it becomes very hard to find those errors.

Reply Children
No Data