v19.0.1 - Drop & log Rule allows traffic 80/443/3128

Question

Due a log investigation, we have discovered a leak in the firewall policys. 
 If you set a rule with simply complete drop & log from a source to WAN zone, Traffic with destination Ports 80/443 will be allowed. So the traffic flows to the integrated proxy and is processed. It translates the Traffic to Port 3128 (seen in Webfilter logs) while it uses a WEB Rule ID 2 (deny all). 
 So the blocked computers are able to access websites from the exception tab (specially M365 Onedrive & Co could be critical for T0 Servers). 
 Recommendations for MS especially include exceptions for all HTTPS dec/cert val/Malware/ZeroDay/Policy checks 
 Does anyone have a solution for this? It seems to be a design thing,

LuCar Toni · Answer

See: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogViewer/Logsbehavior/index.html 
 There is no fix. Essentially it is a behavior to help the users to better understand the drop. 
 Because drop will lead to a unwanted browser drop. Drop by the proxy results in a UI feedback.

LuCar Toni · Answer

Yes for exception traffic, this is a double block in this sense. It is a UX feature for users to better integrate with those blocks. 
 And as mentioned - If you use Reject, you will get the actual behavior of "Browser cannot connect to internet - Is the cable plugged in?"

v19.0.1 - Drop & log Rule allows traffic 80/443/3128

Top Replies