Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 29 subscribers
  • Views 2139 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How the firewalls rules works ?

Anton Szuk

I'm evaluating Sophos XG Home and I can't understand how the packets are going through the rules Disappointed

In fresh install (18.5.2) I added few custom rules:

- first with source : LAN / networks - Any /  Schedule - Al the time,  and destination : WAN / networks - *.DOMAIN_NAME  / services - Any, everything else (web filtering, app control ) disabled

- second with source LAN / Any / All the time , and destination WAN / Any / Any with settings "Match known users" and "Use web auth for unknown users"

For my understanding all the traffic going to www.DOMAIN_NAME should be allowed by the first rule and any other should be catched by second rule and allowed after successful authentication by the user - I'm wrong ? Because it is not working like that ....

Looking at log I see that traffic to www.DOMAIN_NAME is catched by second rule and even I'm not looged in and some packets are denied and few seconds later allowed ..  :( 

I'm making mistake in configuration or don't understand how it works ?

Greetings



This thread was automatically locked due to age.
Parents
  • 0

    What you're describing seems correct. So somehow you may be thinking you've done something that you haven't. Could you provide screen captures to show your firewall rules, the FQDN, etc? Obviously black out if any serial numbers or other sensitive information appear -- or crop the capture down.

  • 0 in reply to Wayne Folta

    another example:

    1. custom domain

    2. included in rule #7:

    3. notification from LogViewer - this IP is a host from 1e100.net domain:

  • 0 in reply to Anton Szuk

    The inconsistency you have highlighted in the Log (accepted, denied within seconds) are both applications of Rule 9, so there could be other things going on there. And the success isn't routed to the WAN (no outgoing Port 2 and no NAT). Note that the application of rule 7, in the third line works and goes out to your gateway (Port 2) and is NAT'd, as you'd expect.

    I'll have to admit that the Log can be confusing to me. For example, note that the two highlighted entries do not have a destination Port. Which still confuses me because I think we sometimes see the same packet coming in from the LAN -- with no destination port yet -- and then a separate  entry where it's going out to the WAN.

    Your Destination Networks in Rule 7 looks huge, and I imagine wildcards to thousands of hosts. It's possible that there's a bug when you have many FQDNs in a rule. Have you tried it with a simplified, just TestSites?

    Also, you've double-checked that Rule 7, below where we can see, doesn't have any exceptions or matching of users? I'm pretty sure that the Security stuff that's below would register under Logs other than Firewall: IPS, etc. And the LAN and WAN zones are not modified and include only the ports and options that they do by default?

    Again, you really want to create minimal rules and test out one feature at a time. Don't do anything with Users until the rest of the rule is working. Don't have dozens of Destination networks until a single destination works.

    Also, do you have earlier rules that allow DNS and other utility packets to get out? If DNS can't get out, I'm not sure what happens to your wildcards. (The firewall won't see FQDNs, it's just looking at packets and has to do reverse lookups to go from IP addresses to FQDNs. (Or cache forward lookups, I guess.) Can you do reverse lookups and get the correct results? (I.e. some of your destinations might not be set up correctly in DNS, so the FQDNs you thing are matching aren't actually matching.) Also, is the appliance going to the same DNS as your computers?

  • 0 in reply to Anton Szuk

    Please read the following KBA from Sophos it might help with your understanding of packets passing through the firewall?

    also if a logviewer entry has a firewall rule and no nat rule usually means the packet has been processed by the proxy.

    life of a packet

    Ian

  • 0 in reply to rfcat_vk

    If the OP's example is indicating that a proxy is in play, that might affect their results.

    Hmmm... I scrolled and scrolled through the Firewall log and couldn't find any examples like the OP where there were things like Input Port 1 (LAN) with no Output Port. I don't know if this is v19 or if I'm just confused.

    I may be thinking of packet captures, which did seem to show the same packet with an input port and no output port, then another entry with an input and output ports.  I assumed that there are various interfaces off of which packets can be captured and I don't totally understand some of the internal interfaces -- i.e. not Port1, Port2, etc, but the oddly named internal connections.

    P.S. the "Life of a Packet" in your post isn't a link.

  • 0 in reply to Wayne Folta

    Hi Wayne,

    Ii fixed the link, now showing a link.

    Screenshot of the proxy and no proxy in logviewer. I don't profess to understand this but I am sure it has something to do with the way the packets are handled by DPI and proxy. If you don't tick use the proxy box but have 'scan http and decrypted https' ticked the DPI process passes the traffic off to the proxy for processing after it passes through the DPI process. 

    When reviewing the entries in detail that are both showing using the proxy port 3128 which does not appear to happen in v18.5 from memory.

    Ian

Reply
  • 0 in reply to Wayne Folta

    Hi Wayne,

    Ii fixed the link, now showing a link.

    Screenshot of the proxy and no proxy in logviewer. I don't profess to understand this but I am sure it has something to do with the way the packets are handled by DPI and proxy. If you don't tick use the proxy box but have 'scan http and decrypted https' ticked the DPI process passes the traffic off to the proxy for processing after it passes through the DPI process. 

    When reviewing the entries in detail that are both showing using the proxy port 3128 which does not appear to happen in v18.5 from memory.

    Ian

Children
No Data