How to log Drops from advanced-firewall checks

Question

Hello, 
 
 We have a clients-server based application, where the server is in a different vlan as the clients. 
 The communication between both vlans is routed via SophosXG VLAN Interfaces. (XG430 / 18.5MR1) 
 The GUI firewall rules are configured to allow everything for both vlan-networks in each direction. 
 
 However, this client-server based application doesn't work with this setup. 
 
 Only way to get the application working as expected is to set advanced-firewall bypass via CLI

I assume that the application is not working 100% RFC conform and for example the XG tcp-seq-checking drops the packege.

My problem is, I cant see any dropped packeg in any log on XG firewall. 
 I need to know exactly why the firewall is dropping that traffic in order to contact the application vendors if something is not RFC compliant at application side. 
 
 Can you please tell me how to log such kind of drops from the advanced-firewall checks. 
 
 Thank you for help!

LuCar Toni · Answer

I highly recommend to not do a stateful bypass. 
 Instead remove those commands, use drppkt on the firewall and check, which module is dropping them. 
 Then check, if there are no drops, via tcpdump, what the routing is about.

LuCar Toni · Answer

Likely this is a routing issue. 
 If you check for the ports, your app is using: tcpdump -ni any port #number# 
 It should show you the network flow. Likely it is asymmetrical routing. 
 What are the ports used? 
 You should stop expecting a "core issue" and start looking at the network basics. Because it is most likely some basic issue like routing or something like that.

How to log Drops from advanced-firewall checks

Top Replies