Denied packets when accessing Sophos XG GUI

Hi Kyle,

Thank you for reaching out to Sophos Community.

For invalid Traffic, you may refer to the following KB.

community.sophos.com/.../sophos-firewall-invalid-traffic

Hi,

thank you, that has answer to a post 3 years ago where I asked the same question. I thought the issue was caused by my Mac having a 10gb interface, but now on a new Mac using wifi I see more denied access packets than before. Why does the fire wall drop so many packets, it is on the same segment and switch as the Mac?

ian

Basically this is normal. 

In a normal communication, there is a server and a client. If one of both wants to close the connection, you basically send a RST packet to the other end. But most applications "burst" this RST packets - Means there are 1-X amount of the same packets. 

A stateful firewall will take the first RST packet to clear its conntrack table. So SFOS will take the first packet and flush the connection. But if there are 2-X more of the same packets, SFOS will not find a related connection and therefore drop the packet. It is basically useless overhead traffic. 

Most firewalls are not logging this traffic. You can disable invalid traffic logging as well. 

Then there is the other part of invalid traffic. After X hours, most server/clients will check there connection tables and clear the idle connections. If there are idle connections, it is usually the case to send a "please flush your table" packet (RST or FIN) to the client/server. SFOS will clear/flush the table every 3 hours with now packets. But some servers are using 6-24h to do this cleanup. This packet is basically not important. 

About the first reason: If there is a "reason to close the connection" (for example, you enter the wrong credentials and the app wants to close the connection), this can lead to the same invalid traffic. 

Basically this is normal. 

In a normal communication, there is a server and a client. If one of both wants to close the connection, you basically send a RST packet to the other end. But most applications "burst" this RST packets - Means there are 1-X amount of the same packets. 

A stateful firewall will take the first RST packet to clear its conntrack table. So SFOS will take the first packet and flush the connection. But if there are 2-X more of the same packets, SFOS will not find a related connection and therefore drop the packet. It is basically useless overhead traffic. 

Most firewalls are not logging this traffic. You can disable invalid traffic logging as well. 

Then there is the other part of invalid traffic. After X hours, most server/clients will check there connection tables and clear the idle connections. If there are idle connections, it is usually the case to send a "please flush your table" packet (RST or FIN) to the client/server. SFOS will clear/flush the table every 3 hours with now packets. But some servers are using 6-24h to do this cleanup. This packet is basically not important. 

About the first reason: If there is a "reason to close the connection" (for example, you enter the wrong credentials and the app wants to close the connection), this can lead to the same invalid traffic. 

Is it normal, when I am connected into the gui from my specific computer, for constant packets to be sent from my computer originating from different ports to be denied? I am not just talking about one packet, the firewall receives constant packets whenever I am connected. This makes sense that it would, but most of them are denied packets. 

It is. Basically for whatever reason, your client is closing the connection alot and maybe rebuild it. Could have several reasons. But as long as you do not experience any problem, i would always recommend to disable invalid traffic. It does not serve a real purpose. 

I have disabled logging invalid packets again. Interestingly some days there are many pockets and other days very few. Though you can disable logging the high denied access would indicate that there is something wrong even though you can ignore the error messages.

Ian