Clean Up rule "from any, to any, drop" that's allowed on the Internet anyway !!! WTF ?

Yeah, this would be a serious issue if the Log Viewer was truly reflecting what's happening.

Unfortunately the Log Viewer is mostly broken and doesn't report correctly on what the device is doing.

If you want to really know what's happening access the XG Firewall via SSH and use the command line tools.

The GUI is useful for creating objects, rules, interface status and the occasional report. Serious log analysis using the GUI will just leave you frustrated, confused, no hair and an endless stream of swearing.

2018 soon and still stuck using CLI ... 

Would you happen to have a list of those commands ?

Thanks

Hundreds of "allowed" traffic on the clean up rule today.

To update the thread in regards to the allowed traffic that Big_Buck was experiencing, we were able to perform a remote session together to further investigate.

The traffic that was being passed was his local Sophos Access Points communicating with the internal Sophos XG interface to establish a tunnel. The XG will listen for this local access point traffic regardless of what firewall rules are in place. With the clean up rule disabled, the access point traffic was still being allowed and received by the XG by the default rule 0. It was just interesting that the traffic was matching to this cleanup rule when viewed in the log viewer. Perhaps because the rule is encompassing "any>any". I have noted this and will followup to attempt to replicate with our internal team to report.

The other traffic that was being allowed was ICMP pings, however this may have been caused due to Pings being allowed on the WAN zone via the local service ACL.
We also disabled this during our troubleshooting call which I hope will resolve this.

Regards,

FloSupport | Community Support Engineer

The official CLI documentation is here:

Sophos Firewall Command Line Reference Guide v16.5

Also there's a bunch of logfiles in /var/tslog. awarrensmtp.log and awarrenmta.log in particular are useful for Legacy Mode and MTA Mode troubleshooting respectively.

tl;dr

Log Viewer misrepresents what's actually happening.

Use other tools (e.g. Console, Advanced Shell) to see what's really happening.

FloSupport said:

To update the thread in regards to the allowed traffic that  was experiencing, we were able to perform a remote session together to further investigate.

The traffic that was being passed was his local Sophos Access Points communicating with the internal Sophos XG interface to establish a tunnel. The XG will listen for this local access point traffic regardless of what firewall rules are in place. With the clean up rule disabled, the access point traffic was still being allowed and received by the XG by the default rule 0. It was just interesting that the traffic was matching to this cleanup rule when viewed in the log viewer. Perhaps because the rule is encompassing "any>any". I have noted this and will followup to attempt to replicate with our internal team to report.

The other traffic that was being allowed was ICMP pings, however this may have been caused due to Pings being allowed on the WAN zone via the local service ACL.

We also disabled this during our troubleshooting call which I hope will resolve this.

Regards,

FloSupport | Community Support Engineer

This is one thing I really think Sophos XG needs - the ability to see ALL firewall rules on the firewall page, not just user created. I created an entry on the Sophos Ideas page a few days ago if anyone else thinks this would be useful:

Would you please help.

I need to hear about how you do it.

Thanks.

PJR

Would you please help.

I need to hear about how you do it.

Thanks.

PJR