Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 7102 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Log View not showing denied

PMMiller

Much like this post, https://community.sophos.com/products/xg-firewall/f/logging-and-reporting/98950/how-to-log-dropped-firewall-http-s-traffic, I'm noticing that since upgrading to v17 that the log viewer doesn't show all of the blocked traffic.  Is this a bug, or is there a setting need changed? 



This thread was automatically locked due to age.
  • +1

    Hi,

    this is "works as designed". 

    If you want to see the dropped packets, you need a Default Drop rule on bot, so XG matches this rule for all non matching rules. 

    Basically most of the time, i dont need to know, if something is blocked without any rule, so i disable the default drop and only uses it for troubleshooting. Default drop "can" cause some problems, so be careful. 

    As far as i know, this is planned to be changed. 

  • 0 in reply to LuCar Toni

    I'm not talking about packet dropped.  I'm talking about port blocked. 

    I'm seeing inconsistent results on logging blocked ports.  For the same application; sometimes it is in the log, and other times not.  When an app isn't working after install; I test by turning on the "allow all outbound" tester rule.  Often this allows the app to work, and then I disable the rule.  Sometimes it then begins logging the blocked port.

    I'm still trying to find a repeatable method for proving this.

  • 0 in reply to LuCar Toni

    Thanks for that suggestion Toni. It is very helpful.

    I was having same issue not seeing some blocked ported that never matched any rules. I could not find any option to show dropped/denied traffic from default rules. 

    Adding an manual rule at bottom with deny any to any worked great.

     

    On a side note you can see the traffic "live" in the PCAP/Packet capture. Just filter on violation.

  • 0

    Hello,

    today i have a same issue. the case:

    the XG (17.5.4) is only configured with firewall rules

    user want to use a FTP over TLS Connection and the login works and after that the client want to list the directory and this fails. The reason was that there was an firewall rule for port 21 and 6000 to 6100(UDP) but the connection for the ports 6000-6100 runs over TCP and not UDP. In the firewall logs there was no blocking logged. With TCPDUMP i found the failure and accept the TCP Ports and then it works.

    The "new" accepted TCP Ports were logged and other blocking ports were also logged so is not a normal behaviour for me.

    michael