Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 7654 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is this traffic being blocked?

shred

There's a list of entries in my firewall log of traffic being 'Denied' but I'm not sure what's causing it and why it's being blocked.

Here's a screenshot of the firewall log:

Here's the detailed description from one of the entries:

2018-08-24 15:12:59Firewallmessageid="00002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="9" policy_type="1" user="" user_group="" web_policy_id="12" ips_policy_id="12" appfilter_policy_id="10" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1" out_interface="" src_mac="[removed]" src_ip="172.16.16.20" src_country="" dst_ip="66.58.255.17" dst_country="" protocol="UDP" src_port="52177" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

Here's a screenshot of firewall rule 9:

The destination IP addresses appear to be Google's main page. My only guess is because there's no 'Out Interface' defined, so the traffic is being blocked because it's not matching any Zones I have defined in my firewall rules.

Any ideas?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to shred

    One thing I don’t quite understand is why I’m seeing these entries in my log. The reason being is because I have a firewall rule with logging turned off that my devices should be hitting above the firewall rule that is causing these entries. Here’s basically what I’m referring to:

    - I have an iPad defined as a MAC Host in Sophos XG (i.e. “My iPad”).

    - I have one firewall rule that allows LAN to WAN on certain services which “My iPad” is assigned to (logging disabled).

    - I have another firewall rule that allows all from LAN to WAN for all services and devices (logging enabled) - this rule sits below the rule above.

    - Both of these firewall rules have “Block Google(QUIC)”.

    If I understand Sophos XG correctly, it’s assessing firewall rules from top to bottom and once a rule is matched, it stops there. So in the example above, when I’m using my iPad and Google QUIC attempts to be used, it should be blocked since I have that enabled and should no longer be assessed against any other firewall rules. However, what appears to be happening is it’s moving to the next firewall rule it matches which in this case, is the allow all I have setup.

    Any ideas?