During scheduled time - overrides the reject setting in a firewall rule

I'd like to clarify what I think is happening.  When the "During scheduled time" is active in the firewall rule, regardless of whether the device is in or outside the time frame for usage, the rule is bypassed.  I noticed I had no activity on that rule when I choose "School days" so the rule is being bypassed.  

The question then is why is the rule being bypassed when "During Scheduled Time" options are utilized?  The rule works correctly when "all the time" is chosen. 

The rule will need to be at the top of your rule list.

Ian

Again thanks Ian

I have a rule that is related to a specific device.  The DHCP on the wireless box has the MAC address and assigns the IP (this is working correctly).  The Sophos XG then has a rule that the IP is to have access based on the "During scheduled time".  I can reject the device and it works, I can provide access and that works.  When I set the During schedule time to anything but "anytime" the rule is bypassed. 

My understanding of the option "during scheduled time" is that it allows when a user can get access and when they cannot.  That being the case it doesn't work because it disregards the rule in firewall even if I set the rule to "reject".  

Of course I can use other rules to block access to the specific device based on IP but that defeats the point of having a "During scheduled time" option in the rule.  

Hi Nicholas,

what rule do you see being used by the device when it is supposed to be blocked?

Ian

I setup a device with the source as LAN and the source device (desktop computer)  has the specific IP which was setup under Hosts and Services (IP Host).  The destination zones and networks are any any.  This is the rule that is by-passed when using "During scheduled time" for anything but "anytime". 

Hi Nicholas,

what rule is being used when the bypass fails?

Does you school hours block schedule look like this?

Ian

essentially yes, with a few adjustment to the hours but otherwise the same.

I applied that time rule to my VoIP firewall rule and was not able to make any calls.

As advised earlier, I limit my device access to matching clientless access groups and if the device is not in that group there is no internet access.

If you open log viewer and setup up the block rule then access the internet using the 'blocked' IP which rule is shown as being used?

Ian

I finally got some time to review your comments and play with the firewall rules.  I was able to resolve this but it does seem counter intuitive.  Your comments were helpful in figuring this out. In the end I used two rules to accomplish what I wanted.  I cloned a second rule, right after the active rule, that simply rejects the device based on IP.  If I choose the "during scheduled time" rule and the time is outside the accessible time the rule get's bypassed and as a result gets rejected by the second rule.  

Seems to be working for now. I'll be testing it more as the family uses the system this week.

Thanks for your research. I had exactly the same use case and issues with scheduled firewall rules being bypassed outside the scheduled times. I belive this is a bug and adding deny rules to catch it can only be a temporary workaround because they unnecessarily pollute the ruleset.

I also tried to do this the other way around, creating an inverse schedule with a deny rule. My rule is designed to work based on an application filter, but when I create a deny rule, or change an existing allow rule to deny, all security features sections are removed, thus I can in effect not create a deny rule with an application filter. I am not sure whether that works as designed, either.

I am running SFOS 18.0.0 GA-Build354

thanks

Max

addendum:

because of the deny rule not containing application restrictions, it blocks all traffic, not just that of the schedule rule above it.

This is definitely a bug, please fix.

Thanks.

This is still a bug in the latest v18 as well.

This is still a bug in the latest v18 as well.