Grey Rule

Hi cyberguy 

8) What is the new disabled “Drop ALL” rule at the bottom of the firewall rule table?

The default drop rule provides a visual indication to user/admin that if none of the firewall rules gets a match, traffic will be dropped.

You reported about two specific challenges that admin faces in v17.x.

1. New admins are confused about the default behavior on the firewall rule table – that is the behavior when no rule matches. The new disabled Drop ALL non-editable rule is a step to resolve this.
2. Log viewer should show traffic being dropped by the default-drop behavior of the firewall rule table – this is planned to be released post v18.

Currently, the logs that you see with firewall rule id ‘0’ are NOT for the traffic dropped by Drop ALL rule. In later EAP releases, we would replace them with “N/A” as those are for the traffic dropped before the firewall rule matches – for example – invalid traffic. And actual logs for traffic dropped by Drop ALL default behavior will be available in the release post v18. Meanwhile – as a workaround, one can add a drop rule at the bottom to log the dropped traffic not matched by any other firewall rule.

For more info - https://community.sophos.com/products/xg-firewall/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18

So,

this rule 0 is a new rule from v18?

Because on v17 I had my drop all roule.

Now I'm having 2 drop all rules... 1 by me and the other one from v18?

 So I can remove my rule now?

Thank you so much! 
i thought was a my duplicate rule.

Hi cyberguy 

We glad that we could help you, please reach out to us for any further assistance.

Hey Keyur,

you are saying that the bug in the default drop rule has been fixed, so we can remove our temporary default drop all rule?

ian

Hi rfcat_vk 

Could you please the details on bug or bug id or any relevant information? It would be helpful to check your requirements further.

Just to be clear. 

This Rule "does nothing new". This is a simple visibility Rule, to give the Administrator the "true" rule set. 

This rule shows the administrator, at the end of the ruleset, there is a implicit deny. 

V18 does not create a new Rule. It simply shows you, there is a Rule 0 at the End of the Ruleset. 

This rule does NOT log Traffic as this KB indicates: 

https://community.sophos.com/products/xg-firewall/f/recommended-reads/118125/sophos-xg-firewall-v17-5-how-to-log-all-dropped-traffic-without-interrupting-other-services

This Rule is still needed to show the Logging of Rule 0 Traffic.

There is more work to do, to log the Traffic as mentioned by this Rule. 

Just to be clear. 

This Rule "does nothing new". This is a simple visibility Rule, to give the Administrator the "true" rule set. 

This rule shows the administrator, at the end of the ruleset, there is a implicit deny. 

V18 does not create a new Rule. It simply shows you, there is a Rule 0 at the End of the Ruleset. 

This rule does NOT log Traffic as this KB indicates: 

https://community.sophos.com/products/xg-firewall/f/recommended-reads/118125/sophos-xg-firewall-v17-5-how-to-log-all-dropped-traffic-without-interrupting-other-services

This Rule is still needed to show the Logging of Rule 0 Traffic.

There is more work to do, to log the Traffic as mentioned by this Rule.