Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 764 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outgoing Traffic from Lan without any outbound Rule

Christian Petrik

Hi all, 

i have kind of a strange problem. 

For information: I have worked with Securepoint Firewalls prior to Sophos and now and then with the UTM.

Now we have switched to the XG (450).


Background: The Sophos builds an IPSEC from the head office into the Azure infrastructure, offers LDAPS / AAD / RADIUS etc ... everything working fine so far.


The SSL-VPN users (10.242.0.2) have an extra set of rules, where it is specified which machines on Azure side can be reached on which ports.


I am just amazed that e.g. Traffic from the console of the firewall itself goes through from the LAN interface (10.106.72.2) and this traffic with RULE ID 0 goes through without any existing outbound rule.

If I compare that with SSL-VPN traffic, nothing goes through until I activate the corresponding outbound rules. Here in the picture this is rule 2, which is recognized and takes effect.


I once read about it, (https://community.sophos.com/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/115743/traffic-is-allowed-out-lan-wan-when-no-lan-wan-fw-rules-exist-i-e-traffic-goes-out-via-rule-0)if there is outbound traffic despite the explicitly missing outbound rule, the XG is not properly licensed. But I see an active license until 2023 in the firewall itself and in the MySophos account.
Anyone have an idea?

In this pic you see that traffic from SSL-VPN gets denied. Thats totally ok, as i deactivated the rule, but traffic from LAN-Interface goes into the IPSEC Tunnel without having a rule???

All existing rules on the XG



This thread was automatically locked due to age.
Parents
  • 0

    Hi Ian, 

    thanks for that hint. Could you elaborate a bit more? My colleague went through the installation wizard when first installed the firewall. 

    This is a hardware appliance, and from your statement i don't get what suppsedly could go wrong during an installation to "disable" the default drop rule :) 

    Thanks

    Christian 

  • 0 in reply to Christian Petrik

    Hi Christian,

    during installation a number of rules are created as starting to allow internet access while you setup your actual rules. They usually in groups.

    ian

  • 0 in reply to rfcat_vk

    Strange, i thought, as long as there is a "deny all" rule, it will have affect on all packets and connections which are not explicitly granted. this is how other firewalls work that i know :D 

    Now i understand there is some kind of rule, which will then put the "deny all" in effect? 

    strange is, that as mentioned, from ssl-vpn without rules all is blocked, 
    from lan without rules all is granted. 

    may i setup an xg as a vm and see what kind of rules are being created to then create them manually on the hardware appliance? 

Reply
  • 0 in reply to rfcat_vk

    Strange, i thought, as long as there is a "deny all" rule, it will have affect on all packets and connections which are not explicitly granted. this is how other firewalls work that i know :D 

    Now i understand there is some kind of rule, which will then put the "deny all" in effect? 

    strange is, that as mentioned, from ssl-vpn without rules all is blocked, 
    from lan without rules all is granted. 

    may i setup an xg as a vm and see what kind of rules are being created to then create them manually on the hardware appliance? 

Children