Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 6325 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Drop firewall policy not working

Hotel McCoy

In log viewer I am noticing a lot of entries allowing traffic to a host for port 3389. This is RDP. There should be no reason for anyone but me to use RDP and I only do it locally or through a VPN tunnel. I created a User/Network Rule intended to drop traffic from specific IP's and IP Networks. You'll notice that the rule shows "in 0 B, out 0 B". The traffic I'm trying to stop still shows as allowed. Any idea what I'm doing wrong?

 

This is an entry from the firewall log:

This is the Firewall Rule in the top position:

This is the edit page for the firewall rule:



This thread was automatically locked due to age.
Parents
  • 0

    Hey  

    It looks like this attempted RDP connection is being allowed by your firewall rule number 25. How is this rule configured?

    As well, creating this explicit deny rule shouldn't be necessary as traffic that is not explicitly allowed by a firewall rule will be denied by the default drop rule 0.

    Here are some relevant KBs for more info.

    Sophos XG Firewall: How to change firewall rule order - Sophos XG Firewall: Firewall rule 0 explanation

    Regards,

  • 0 in reply to FloSupport

    Rule 25 is a Business Application Rule. It is for access to my PBX server (3CX). 

    Source Zones: LAN, WAN
    Allowed Client Networks: Any
    Blocked Client Networks: IP Host Group called "Bad IP Hosts"
    Destination Host/Network: #Port2-24.249.185.251
    Services: 3CX All Needed Ports V2
    Protected Server(s): 3cx Server
    Protected Zone: LAN

    The "Bad IP Hosts" group has several IP hosts (individual IP addresses and networks) defined.

    I was hoping that the IP addresses and IP networks I have defined in "Bad IP Hosts" under "Blocked Client Networks" would have stopped the access but apparently not. I realize this is a redundant attempt with the deny rules I have defined. I will turn off the deny rule and see what happens.

    If my configuration for rule 25 above is wrong, how should it be configured? Should I change the Allowed Client Networks from "Any"? The 3CX server is configured to allow internal and external phone extensions to function as well as register with the SIP trunk which is external (CallCentric). I do have port 3389 defined in the "3CX All Needed Ports V2" service so that I can RDP to the server using a VPN tunnel and from the physical LAN.

    I have no formal training on Sophos so I'm having to gain understanding and experience by the seat of my pants. I am also running Sophos XG home version at my home that allows me to experiment.

     

    FloSupport said:

    Hey  

    It looks like this attempted RDP connection is being allowed by your firewall rule number 25. How is this rule configured?

    As well, creating this explicit deny rule shouldn't be necessary as traffic that is not explicitly allowed by a firewall rule will be denied by the default drop rule 0.

    Here are some relevant KBs for more info.

    Sophos XG Firewall: How to change firewall rule order - Sophos XG Firewall: Firewall rule 0 explanation

    Regards,

     

Reply
  • 0 in reply to FloSupport

    Rule 25 is a Business Application Rule. It is for access to my PBX server (3CX). 

    Source Zones: LAN, WAN
    Allowed Client Networks: Any
    Blocked Client Networks: IP Host Group called "Bad IP Hosts"
    Destination Host/Network: #Port2-24.249.185.251
    Services: 3CX All Needed Ports V2
    Protected Server(s): 3cx Server
    Protected Zone: LAN

    The "Bad IP Hosts" group has several IP hosts (individual IP addresses and networks) defined.

    I was hoping that the IP addresses and IP networks I have defined in "Bad IP Hosts" under "Blocked Client Networks" would have stopped the access but apparently not. I realize this is a redundant attempt with the deny rules I have defined. I will turn off the deny rule and see what happens.

    If my configuration for rule 25 above is wrong, how should it be configured? Should I change the Allowed Client Networks from "Any"? The 3CX server is configured to allow internal and external phone extensions to function as well as register with the SIP trunk which is external (CallCentric). I do have port 3389 defined in the "3CX All Needed Ports V2" service so that I can RDP to the server using a VPN tunnel and from the physical LAN.

    I have no formal training on Sophos so I'm having to gain understanding and experience by the seat of my pants. I am also running Sophos XG home version at my home that allows me to experiment.

     

    FloSupport said:

    Hey  

    It looks like this attempted RDP connection is being allowed by your firewall rule number 25. How is this rule configured?

    As well, creating this explicit deny rule shouldn't be necessary as traffic that is not explicitly allowed by a firewall rule will be denied by the default drop rule 0.

    Here are some relevant KBs for more info.

    Sophos XG Firewall: How to change firewall rule order - Sophos XG Firewall: Firewall rule 0 explanation

    Regards,

     

Children