v18: Bug with data counting in firewall rules?

Hi cryptochrome, 

Could you please share the screenshot of the firewall rule that shows data in and out counters? I will verify if it should be like that or not and update you.

Thanks,

Hi cryptochrome, 

Could you please share the screenshot of the firewall rule that shows data in and out counters? I will verify if it should be like that or not and update you.

Thanks,

Sure, here you go:

Firewall Rule:

Corresponding NAT rule:

Firewall Rule Details:

Note that this is just one example. I am seeing the same "reversed" counter on other incoming rules. 

How do you count the data? If someone on the internet initiates the connection and transfers a lot of data, does that count as incoming or outgoing?

It was clear in the beginning, but what are you suggesting? 

Are you see an issue in the way, XG is doing this? If you, please name it, maybe i can talk about this. 

RX/TX is just another phrase of IN/OUT (Interface/NIC Level). 

LuCar Toni said:

What about other zones, which actually could be external (VPN Zone, MPLS Zones, Zones behind routing devices (For example Dark Fiber etc.))? You would consider them as external or Internal? Giving the administrator a option to decide about each zone could be a better approach. 

That's actually what I was suggesting in my last post :)  By pointing out how other firewall vendors do it. They let admins define the network topology in some way, through which you designate external vs internal networks. 

LuCar Toni said:

Do you know, how other vendor actually perform, if you create a ANY-ANY Rule? This will hit for internal and external Traffic, hence it will lead to weird traffic data counter, isnt it? Also rules, which implies LAN and external zone in it (LAN & WAN to LAN & WAN).  

It has nothing to do with the rule, really. Whether the rule is any-any or more specific doesn't matter. The firewall still has to determine the incoming and outgoing interfaces of the connection. And it still has to determine who initiated the session in a flow. That's all it needs, when a topology (external vs internal) has been defined. 

LuCar Toni said:

Your examples makes perfectly sense, but are actually hard to archive and could lead to conflicts, which needs to be considered. 

It's not really hard to achieve, see other firewall vendors. It just has to be thought through and properly engineered. I am pretty sure Sophos engineers would be able to come up with a solution fairly easily. 

LuCar Toni said:

PS: There are setups, which this will eventually break: XG without WAN Zone but Uplink to the Internet (eBGP, Upstream hosts etc.), Parent Proxy Setups. DNAT into a VPN Tunnel (Traffic coming from WAN, going into the VPN Tunnel. Is it Out, Out? Hard to tell). 

Nope, nothing would break :)  See my comment above. All you need is a topology definition of some kind and then look at session establishment and which interfaces/zones the traffic traverses. And in complex, routed networks with BGP or MPLS and VPNs it's still all the same. You just have to define the topology from the perspective of the local firewall. It can be as simple as defining that all networks that the local firewall protects are considered internal networks and everything else is considered external (from that particular firewall's perspective).

Maybe you could DM/PM me some screenshots of other vendors, how they do it on their rule set? Just curious about their solution. 

Tried to find some information about this via research, but as other mentioned, other vendors are not showing such kind of traffic in their ruleset, as far as i could see. Could be wrong about that. 

No, I can't. It's the weekend. You just have to trust me on this. One example: Fortigate firewalls from Fortinet. You can enable a bytes column right in the ruleset. On Checkpoint, if you enable the Accounting feature, you right click on a rule, select "show in log", and it opens the log showing your bytes received, bytes sent, and total browse time (if it is app enabled) for every connection. It's similar on Palo Alto. 

Not sure why you doubt any of this.

On Checkpoint, if you enable the Accounting feature, you right click on a rule, select "show in log", and it opens the log showing your bytes received, bytes sent, and total browse time (if it is app enabled) for every connection.

It literally opens the own checkpoint logs for this, if you can do the same thing on XG for data counting, the only problem is, the XG logs is worse than checkpoint.

But I don't blame Sophos entirely for this, Their using a web based management solution, you can't compare to checkpoint smart console.

PAN and Checkpoint also uses Hit Counters by default instead of data counting, of course you can enable to shows Bytes A/B on it (On PAN.).

Also by default checkpoint uses Hit Counters on the rules instead of bandwidth as It is in XG.

Of course in the logs will show bandwidth,duration,sessions.But as stated before, don't compare smart console directly to XG.

Also, genuine question, Why data counting directly on the rule in XG is so important for you? What's the best use-case scenario for it?

Isn't it better to just use the Logs/Reporting function that already exists? I know both of them are bad compared to the competitors, but at least it "works".

Tried to find some information about this via research, but as other mentioned, other vendors are not showing such kind of traffic in their ruleset, as far as i could see. Could be wrong about that. 

They don't show it like XG.

Also after after 40 replies over this thread,Isn't it better to XG follow the industry standard and also use hit counters for the rules instead of just showing bandwidth, also please, show when the rule has first and last used.

Thanks!

Thanks for the log Prism.

Since RX/TX depend on the interface you are using, I suggest Sophos to maintain the counters an apply the counters to the first matching interface.

For LAN to WAN, TX is the traffic sent by the LAN and RX is the traffic received. Same thing from WAN to LAN: TX traffic sent by the WAN interface, RX traffic received. So in case of 10 MB file upload from WAN to LAN, RX is 10 MB, TX is few KBs.

Also I suggest Sophos to put back the reports per Inteface like UTM does.

Let's see what other users say about.

Please vote and consider this feature request:

https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/34421893-report-of-traffic-for-each-wan-interface

Regards

Prism said:

Also, genuine question, Why data counting directly on the rule in XG is so important for you? What's the best use-case scenario for it?
Isn't it better to just use the Logs/Reporting function that already exists? I know both of them are bad compared to the competitors, but at least it "works".

The thing is, it's not important to me at all :-)  When I opened this thread, I never expected a huge discussion like this. I just noticed the counters on my incoming rules were wrong and opened a post, thinking it may be a bug. And now here we are, haha. 

I also don't care whether the counters are displayed right in the rule or whether I have to open a different view for it (reports, logs, whatever). It doesn't really matter. The whole point is: the counters that are there are wrong. Sending data out of the WAN interface and showing that as incoming traffic is just plain crazy :)

Prism said:

They don't show it like XG.

Well... they do, actually. Some even directly in the rule (Fortinet), some others require a few additional mouse clicks, but the data is available. With proper directional display. 

Prism said:

Also after after 40 replies over this thread,Isn't it better to XG follow the industry standard and also use hit counters for the rules instead of just showing bandwidth, also please, show when the rule has first and last used.

I would second this request. It would be very helpful in housekeeping scenarios. 

Also, since you guys keep mentioning XG reports and that the data is available there as well, I just took a look. I clicked on an application in the traffic dashboard and immediately had to laugh out loud and hard. Like if this would make any sense whatsoever:

Mind you, this is for one application. It tells me the source and destination zones had the exact same amount of hits and data, which of course is utter nonsense. Another pointer at just how wrong Sophos calculate data. 

People have been complaining about XG reports and logs since it came out.

That's why I wrote: (but at least it "works".)

I'm a optimistic person; But only god knows when the devs will do something about this.

I hope the best for v18.5, so no one have to complain about this anymore.

Would recommend to check Central Reporting. 

https://community.sophos.com/products/xg-firewall/sfos-eap/central-firewall-reporting-eap/

Central Reporting is waiting for Feedback from the community. 

You can simply activate it in Central (EAP). 

Would recommend to check Central Reporting. 

https://community.sophos.com/products/xg-firewall/sfos-eap/central-firewall-reporting-eap/

Central Reporting is waiting for Feedback from the community. 

You can simply activate it in Central (EAP). 

Well, I completely forgot about this.

Will be checking it out right now.

Thanks!

That looks interesting. Does this require additional licensing? Or is it part of the XG license?

https://www.sophos.com/en-us/medialibrary/PDFs/partners/whats-in-the-central-firewall-reporting-eap.pdf

Licensing Collecting, storing, and aggregating firewall logs naturally requires compute and storage resources in the data platform. For the EAP, we are providing administrators with a rolling seven days of log retention and reporting data per firewall, at no cost. Additional details will be made available later regarding the licensing options for CFR, which will include both free and premium licensed capabilities.

As mentioned, they are waiting for Feedback about their new product in Central (Called CFR). 

There are some more option for reporting. 

I am using CFR and it does not add useful reporting at all. Sorry Luca but XG reporting is very bad. Please consider me to improve the reporting. Reporting and logging have the same problem: understand what is happening is very time consuming! Utm 9 has better reporting far away. I open privately for discussion.

Regards

Hi Guys

I'm going to bookmark this thread so when I come to discuss the traffic counters with a customer I have some reference material to work through rather than using intuition. Thanks for all the helpful comments.

Hi All,

Thank you for sharing your feedback regarding this topic. I'll forward these over to the Product Team for their consideration.

Thanks LuCar Toni for your explanation and recommendations.