Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 1391 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default Drop is not logging

Ben@Network

Hello Community,

we have on a firewall (XG210 HA, v18-MR1) the problem that not all dropped connections are listed in the log. This concerns on the one hand ICMP packets and on the other hand (partly) other packets which are not logged by the default drop. We have activated ICMP logging as described here: https://support.sophos.com/support/s/article/KB-000037153?language=en_US


In the default drop all rejected connections should be logged without the need to configure this explicitly.

How can I solve the problem?

Thanks,

Ben



This thread was automatically locked due to age.
  • 0

    Hi,

    the default block rule has no logging. We created a custom block rule before it where we enabled logging.

    We had this problem a few times in the past when we created new zones on the firewall and forgot to put them in the source list of the custom block and log rule. Btw. one could just select any as source zone.

  • 0

    doesn't the newer firmware come with a default block rule now with logging - anybody? maybe it's v18+?

  • 0 in reply to Ryan Partington

    sorry, don't know, we're on 18.0.1 MR-1-Build396 (upgraded step by step from some v17 in the past). and here there is no logging enabled in default block.

  • 0

    Hi Ben,

    The default Drop is currently not logging, last time i talked to our Sophos SE he told me that they wanted to include logging for default drop with v18 but didn't do because of some issues, it'll come in a future release.

    The only way is to create a drop / Reject Rule on Bottom with all (not any) zones to all zones and logging enabled.

    It is important to select all individual Zones instead of the 'any' Zone because 'any' includes the implicite local zone in which system-services like MTA or Proxy have their origin. --> if you select 'any' Zone you'll see Dops of system owned traffic.

    Yours Lukas

  • 0 in reply to lna

    That issue was fixed in mr-2 for those that want to download it.

    if you add your own default drop you can cause issues.

    ian

    ian