Clean Up rule "from any, to any, drop" that's allowed on the Internet anyway !!! WTF ?

Hi,

this not a serious issue. Where does this rule sit in the firewall rule list and what is its ID eg at the top. Why are you trying to block all internet access, this does not make sense?

What you are seeing in your log is traffic going out another rule eg rule id 3.

XG tests the packets from top down, not by rule number.

Ian

Hello rfcat_vk

Best practices guidelines for "serious" world-class firewall products requires the implementation of a least one "stealth" rule and one "clean up" rule.  By definition, a "clean up" rule is always the last ... It does what it says: drop everything that was not implemented on previous rules and logs it.

So, by definition, nothing is allowed by this rule, or after this rule !!!  Yet, we see some traffic is allowed.

My understanding here, is that's, on the contrary, an awful issue.

Hello

Our clean up rule no 3 is the last.  No other rule after that. It should drop everything left.  Now, even if it was not the last, logs are showing "Allowed" traffic.  It should be "Drop" !!!

The question asked here, is why do we still see outbound traffic with that rule no 3 since it is any-any-any-drop ?

Hello FloSupport

I am aware of many other products with implicit "clean-up" rule.  Checkpoint namely.  Yet their best practices includes clean-up rule anyway.  They have an excellent paper here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106597

But if we come back to the question here, how is it possible an any-any-any-drop rule allow some traffic ?  Whether it is the last or not, that should not be !!!

Hi,

two things, first please log a ticket with sophos support.

Secondly I would still like to see a screenshot of all your rules, just the overview would be fine.

Thank you

Ian

I'm very shy to post my rule set for confidentiality reasons.

I've open a case 3 days ago.  No news yet.  What could be more urgent to a firewall vendor but to investigate ipso-facto on what appears to be a leaking firewall ?

Hi Big_Buck.

I think you a configuration issue with your lan and interface, but I can't help unless I can see the firewall rules, even if you change or mask the critical parts.

Regards

Ian

Added extra info:- I took Flo's advice and deleted my drop all firewall rule at the very bottom of my firewall list. The dashboard information disappeared, but returned 20 minutes later, looks like a slow log file update.

Ian

How many firewall rules do you have?

Hello  Rules and network config.  Which are very basic and simple to me.

Hi Big_Buck,

thank you for taking the time to edit and post those screenshots. I think we a revoking for a loop between a couple of the rules which is causing the firewall configuration to fail.

At a suitable where you have at least 30 minutes I would disable all those rules except rule id 3 and then try accessing the internet, that should fail.

Let all rules applying to one interface back and try to access the internet noting if any traffic is reported in rule id 3, allow about 2 to 3 minutes for the configuration stables before each test.

Repeat this for each interface.

Ian

The thing is we have four Sophos firewalls.  Two of them being XG105W. They all behave the same even though XG105Ws have only 5 very basic rules.  They all leak.

I'll bet an arm and a leg yours do the same without you knowing it ...

Sophos call me this PM.  Could not make any sens out of it, archived this unresolved case, and ask me to call them back when it happens again.

The thing is we have four Sophos firewalls.  Two of them being XG105W. They all behave the same even though XG105Ws have only 5 very basic rules.  They all leak.

I'll bet an arm and a leg yours do the same without you knowing it ...

Sophos call me this PM.  Could not make any sens out of it, archived this unresolved case, and ask me to call them back when it happens again.

Hi Big_buck,

I had a rule and removed it on Flo's advice and still see the extra stuff being dropped and nothing being passed.

I will recreate the rule and post the logs afterwards.

This might seem like a silly question, are all your devices built at the same time eg a new installation or an upgrade from older versions. During v17b testing there were different issues reported depending on new installation or upgrade and depended on what you upgraded from?

Ian

Pretty pictures.

Hey Big_Buck 

Could you PM me with your case number so that I can followup with what has been troubleshooted already?

Regards,

FloSupport | Community Support Engineer

Case is now closed.

Support tech, opened Telnet session, generated few listings with linux shell commands. That's about it.  He did not telnet the other main firewall.

 A "Drop All/Clean Up" rule that allows traffic ...  What does it take to press the pannic button at Sophos ?

Hi Big_buck,

no details provided at this stage I assume? Hopefully Flo will come back with the answer because I am inquisitive or in other words a sticky beak?

Ian

No feedback whatsoever. These leaks happens every 3 days.  They'll wait I call back.  When I call back, they'll take 3 days to call me.  Looks like a dog running after his own tail in a bowling alley. 

I have been in recurrent communication with Sophos support since May, when we started this migration project.  Horror stories on all products.  For example, the WEB gateway that required SMBV1 ... Whatever they say, SMBv2 is still problems-some.  And why have they not implemented SMBv3 at the first place ?  There is no know way to connect the WEB gateway to XG as of now.  If you happen to have a VPN, PAC files and WPAD will fail.  Transparent proxy is impossible.   

I tested SEA yesterday (mail gateway).  Reporting in there is next to existent.  Navigating blind.  Only workaround is to buy third party product to have minimal visibility.

EndPoint has its own load of troubles.  Workstation that does not report for example.

Sophos support team permanently lives on the prayer next release will fix what they can't. 

Hello

I presume you have put BOTH "Firewall Rule ID is xx" and "Log Subtype is Allowed" filters in your log view ?

Hi Big_Buck,

that screenshot I supplied was just a cut from the log of the failing messages all the rest of the messages in the logviewer are all as expected with valid rule IDs. I was receiving a lot of odd messages, but realised I hadn't added the failig devices to the clientless lists which when done removed the messages.

In theory some of your issues are supposed to be resolved in MR-2 when it is released.

Ian

Hello

MR-2 addresses VPN multiple problems mostly I understand.  That said, I instinctively think there's a problem with routing since my logs indicates from traffic from lan port1 to lan port1 that actually goes on the internet.  Routing fucked up ??? VPN and routing are not far apart ...

Hi Big_Buck,

your questioning has made me investigate my XG further. I changed most of rules to not use ANY, but WAN and LAN, the logviewer still fills up with junk. I powered off one device for a while to see if that would fix some of the strange entries no luck.

Beside the denied packets, I also see valid connections with only one port, the internal one. Now this could point at a dud piece of copy code.

I see a number of my devices having dropped connections to AWS addresses in the US, not sure why.

I have been very critical of the XG product team's lack of QA in past betas and it hasn't improved. The QA process is broken and the QA manager needs to be sacked because the same errors get through with each version. Billybob has had a number of things to say on the subject as well.

Ian

I was on the impression that when there were no port, it was mostly because it was originating or destined to the firewall itself ... Or broadcast ... Or some other stuff like that.