Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 1986 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

V18 Log and block all dropped traffic not working

Rijsbol

Hello,

I created before the default greyed out Drop all rule a new rule to log and block all traffic. The same as this recommended post: https://community.sophos.com/products/xg-firewall/f/recommended-reads/118125/sophos-xg-firewall-v17-5-how-to-log-all-dropped-traffic-without-interrupting-other-services
Like this:

 
DROP_ALL
in 0 B, out 6.98 MB
LAN, Any host
WAN, Any host
Any service
#11
Drop
  

But DNS traffic is blocked:

2020-07-23 20:58:46
Firewall Rule
Denied
  
11
0
Port1
Port2
192.168.1.x
8.8.8.8
49291
53
UDP
1
00002
Open PCAP

And https/http is not blocked:

2020-07-23 20:58:46
Firewall Rule
Allowed
  
11
0
Port1
  
192.168.1.x
216.58.214.3
56820
443
TCP
1
00001
Open PCAP

Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    please post a screenshot of your drop rule. I assume your deny rule is at the top of the rule list?

    Is that connection using an IP or a URL?

    The reason I ask is because the second report has used the http proxy.

    Ian

  • 0 in reply to rfcat_vk

    As requested a screenshot:

    As you can see no web protection and application filtering are on, but below it isn't.

     

    The rule is above the standard drop all rule.
    When the drop rule is active traffic is blocked in the webfiltering, http/s is allowed. When creating a new rule to allow traffic on http/https webfiltering stop giving me content, when enable webfiltering everything is allowed.
    Turning off stops the traffic flow, traffic is hitting the firewall new rule.
    Disabling this rule traffic is hitting the drop all rule for a couple of seconds and allows it again, and the traffic is blocked again in the webfiltering.

  • 0 in reply to Rijsbol

    Hi,

    you do not need you drop rule, the default rule works and your setup has the possibility f causing confusion with packed flow.

    Ian

  • 0 in reply to rfcat_vk

    Ok, i removed the rule and everything is blocked, but i can't see the blocked traffic. Only the allowed.
    The greyed out drop rule confused me, I there is a drop rule show it as enable and disable the delete button.

Reply Children
  • 0 in reply to Rijsbol

    Hi,

    that rule was made visible by a large number of requests from forum members. It is showing that the XG drops all traffic that fails to meet a firewall rule. It is identified as firewall rule 0.

    Look in. Log viewer using filters for your IP.

    ian