This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocked traffic not logged - Bug

Today,

one of my external connection was not working, so I decided to have a look at Security Logs to see which port this application uses.

Blocked traffic is not logged. I filtered by destination IP (because I know the IP), but nothing appears. No filter, same result.

So to know which port was used, I created a Policy rule allowing ALL and then I was able to find the destination port.

This is a bug. Can someone do this test?

Luk

This thread was automatically locked due to age.

Parents

0 Christian Ioiart over 7 years ago

Hello everyone. Just started testing XG Firewall SFOS 17.0.6 MR-6 and I can confirm that in 2018 the symptoms persist.

It would be great if a Sophos engineer could explain this behavior: all blocket outbound traffic from LAN to ANY is indeed blocked by default but it is not logged anywhere.

By adding at the bottom a "DENY ALL THE REST" rule, I could capture the dropped packets. A in-deep explanation about the firewall chains would be welcome.

Could this be corrected with a minor release?

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 7 years ago in reply to Christian Ioiart

Hey Christian Ioiart

Traffic not matching any existing firewall rules are dropped under firewall rule 0 in the logs. Please take a look at this KB article for further explanation.

Best,
Cancel
Vote Up 0 Vote Down

Cancel
0 Basti over 7 years ago in reply to FloSupport

I have a weird Loggin entry with my Drop Rule. Why the drop rule allow traffic throw it?

The Rule ->

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 7 years ago in reply to Basti

Hey Basti

It looks like the DNS traffic for the 192.168.99.22 host is being allowed through via this rule (ID:44). Your rule might be conflicting with the DNS local service ACL configured for your LAN in System > Administration > Device Access.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 Big_Buck over 7 years ago in reply to FloSupport

Hello Flo,

Yes. And nobody wants that. So, Sophos, fix it, and match this industry standard. You might as well look and match the best (at least, at reporting): Checkpoint

While we are at it, what other things rule "mother-in-law" 0 does ?

Paul Jr
Cancel
Vote Up 0 Vote Down

Cancel
0 Basti over 7 years ago in reply to FloSupport

Hey Flo,

yes you're right, the ACL for DNS is activated. What confuses me about the log entry is the allowed traffic using a deny rule.

So the ACL rules are always above a standard Firewall rule? Possibly this can be indicated differently in the logviewer, when the ACL Rule is set.

Thank you and good night.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Basti over 7 years ago in reply to FloSupport

Hey Flo,

yes you're right, the ACL for DNS is activated. What confuses me about the log entry is the allowed traffic using a deny rule.

So the ACL rules are always above a standard Firewall rule? Possibly this can be indicated differently in the logviewer, when the ACL Rule is set.

Thank you and good night.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data