Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 29 subscribers
  • Views 2151 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How the firewalls rules works ?

Anton Szuk

I'm evaluating Sophos XG Home and I can't understand how the packets are going through the rules Disappointed

In fresh install (18.5.2) I added few custom rules:

- first with source : LAN / networks - Any /  Schedule - Al the time,  and destination : WAN / networks - *.DOMAIN_NAME  / services - Any, everything else (web filtering, app control ) disabled

- second with source LAN / Any / All the time , and destination WAN / Any / Any with settings "Match known users" and "Use web auth for unknown users"

For my understanding all the traffic going to www.DOMAIN_NAME should be allowed by the first rule and any other should be catched by second rule and allowed after successful authentication by the user - I'm wrong ? Because it is not working like that ....

Looking at log I see that traffic to www.DOMAIN_NAME is catched by second rule and even I'm not looged in and some packets are denied and few seconds later allowed ..  :( 

I'm making mistake in configuration or don't understand how it works ?

Greetings



This thread was automatically locked due to age.
Parents
  • 0

    What you're describing seems correct. So somehow you may be thinking you've done something that you haven't. Could you provide screen captures to show your firewall rules, the FQDN, etc? Obviously black out if any serial numbers or other sensitive information appear -- or crop the capture down.

  • 0 in reply to Wayne Folta

    ok, lets see:

    1. one of the default fqdn hosts:

    2. it is used in this rule (no user matching and other stuff) - 2nd from the bottom:

    3. rules order - rule #9 has user matching enabled:

    4. results from LogViewer - this address 34.*.*.123 is a host from googleusercontent.com domain - should be catched by rule #7 but is omitted and then first denied and later allowed by rule #9 ... 

Reply
  • 0 in reply to Wayne Folta

    ok, lets see:

    1. one of the default fqdn hosts:

    2. it is used in this rule (no user matching and other stuff) - 2nd from the bottom:

    3. rules order - rule #9 has user matching enabled:

    4. results from LogViewer - this address 34.*.*.123 is a host from googleusercontent.com domain - should be catched by rule #7 but is omitted and then first denied and later allowed by rule #9 ... 

Children
No Data