Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 7103 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Log View not showing denied

PMMiller

Much like this post, https://community.sophos.com/products/xg-firewall/f/logging-and-reporting/98950/how-to-log-dropped-firewall-http-s-traffic, I'm noticing that since upgrading to v17 that the log viewer doesn't show all of the blocked traffic.  Is this a bug, or is there a setting need changed? 



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

    this is "works as designed". 

    If you want to see the dropped packets, you need a Default Drop rule on bot, so XG matches this rule for all non matching rules. 

    Basically most of the time, i dont need to know, if something is blocked without any rule, so i disable the default drop and only uses it for troubleshooting. Default drop "can" cause some problems, so be careful. 

    As far as i know, this is planned to be changed. 

Reply
  • +1

    Hi,

    this is "works as designed". 

    If you want to see the dropped packets, you need a Default Drop rule on bot, so XG matches this rule for all non matching rules. 

    Basically most of the time, i dont need to know, if something is blocked without any rule, so i disable the default drop and only uses it for troubleshooting. Default drop "can" cause some problems, so be careful. 

    As far as i know, this is planned to be changed. 

Children
  • 0 in reply to LuCar Toni

    I'm not talking about packet dropped.  I'm talking about port blocked. 

    I'm seeing inconsistent results on logging blocked ports.  For the same application; sometimes it is in the log, and other times not.  When an app isn't working after install; I test by turning on the "allow all outbound" tester rule.  Often this allows the app to work, and then I disable the rule.  Sometimes it then begins logging the blocked port.

    I'm still trying to find a repeatable method for proving this.

  • 0 in reply to LuCar Toni

    Thanks for that suggestion Toni. It is very helpful.

    I was having same issue not seeing some blocked ported that never matched any rules. I could not find any option to show dropped/denied traffic from default rules. 

    Adding an manual rule at bottom with deny any to any worked great.

     

    On a side note you can see the traffic "live" in the PCAP/Packet capture. Just filter on violation.