Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 71 replies
  • Subscribers 37 subscribers
  • Views 139841 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clean Up rule "from any, to any, drop" that's allowed on the Internet anyway !!! WTF ?

Big_Buck

Hello  Can anyone explain that to me ?

I have a clean up rule (no 3) "from any, to any, drop" that allows traffic on the Internet anyway !!!.  See the rule and the log below.

Is it me, or this is a very serious issue ?



This thread was automatically locked due to age.
Parents
  • 0

    Yeah, this would be a serious issue if the Log Viewer was truly reflecting what's happening.

    Unfortunately the Log Viewer is mostly broken and doesn't report correctly on what the device is doing.

    If you want to really know what's happening access the XG Firewall via SSH and use the command line tools.

    The GUI is useful for creating objects, rules, interface status and the occasional report. Serious log analysis using the GUI will just leave you frustrated, confused, no hair and an endless stream of swearing.

  • 0 in reply to ChrisKnight

    2018 soon and still stuck using CLI ... 

    Would you happen to have a list of those commands ?

    Thanks

  • 0 in reply to FloSupport

    Hi flo,

    not wanting to sound picky, but that looks and sounds like UTM not XG. No loginuser on XG.

    Ian

  • 0 in reply to FloSupport

    I use putty 0.70 in SSH

    There's no alternative but to log as "admin" (literally)  then punch the corresponding administrative password.  Unless I miss something.

     5850.untitled.txt 

    Since nothing seems standard here, please reply and posts commands i could cut and paste on the telnet session.

    PJR

  • 0 in reply to FloSupport

    here the command for TCPDUMP

    tcpdump -i Portxx -w file.pcap -s0 -b

    or just

    tcpdump -w file.pcap -s0 -b

     

    the file will be at /tmp because when you login to sophos and pick 5 and 3 will goes to /tmp folder. or just do

    pwd

    remember, at my /tmp partition, there only 5 Gig, so remove the PCAP file after you have tcpdump pcap file

    the logs are at /log just do ls -la at root folder or

    ls -la /

    to move the pcap from XG just do

    scp file.pcap root@xxx.xxx.xxx.xxx:/tmp

    or using sftp whenever you like application and do analyze that pcap file from another machine

     

    hope can help.

     

    thank you

  • 0 in reply to H Obe RS

    Thanks for this info.

    Logs that indicates « drop traffic is allowed  anyway » happen mostly in « batch » with time in-between from minutes to hours.  Log file will eventually become gigantic.

    Is it possible to dump logs on a USB key instead ? I could format a 64 gig USB key and plug into the appliance in seconds.

    Windows SCP cannot connect to the XG210.  Connection is dropped.  Putty SSH putty works.  But not Putty sftp.  I have properly set things up in the XG210's administrative menu (ssh, https, et.c. are enabled.) 

    PJR

  • 0 in reply to Big_Buck

    Now I am getting ATP alarms !!!

    Besides, allowed stuff can now be counted - excluding what is coming from our own network - at several hundreds.

    ​UTQ is also on alert mode.

    "drop-all rule" has transported 13 meg of stuff today.  All desktops shutdown.

    Really need to fix this log issue URGENTLY.

    This situation is absolute non-sens.

  • 0 in reply to Big_Buck

    you can not get the file from XG with traditional file transfer, try installing, winscp or filezilla server at the windows machine and turn off the windows firewall and transfer/send the file from XG to Windows, not from windows to XG.

    yes ucan mount the USB for logging. just write the dump to usb that already mounted before with the command

     

    tcpdump -w /mnt/file.pcap -s0 -b

  • 0 in reply to Big_Buck

    Hey All,

    To hopefully give some more clarity regarding this "clean-up" rule behavior, I discussed this situation with a few senior engineers.

    During my investigation with  we noticed that the traffic entries shown as allowed on the log viewer by his any>any>drop cleanup-rule was traffic that should have been matched to the implicit any>any default rule 0.

    The traffic included internal Sophos AP traffic communicating with the internal interface to establish a tunnel, external User Portal, and SSL VPN traffic that was allowed via local service ACLs. This traffic was accepted as the local service ACLs take precedence over the firewall rules. Normally this traffic is shown in the log viewer as being matched to the catch-all default rule 0. However, with the clean-up rule enabled, traffic is being shown as matching this explicit any>any rule and being allowed, thus causing the confusion.

    As advised, this clean-up rule is unnecessary as any traffic not matching to a configured firewall rule is denied by the implicit default rule 0. If you would still like to create such a static explicit rule, it would be better to configure separate specific zone rules instead (LAN>WAN>Drop, WAN>LAN>Drop, DMZ>LAN>Drop). This would avoid the possible rule conflict and confusion being caused.

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    Hi FloSupport,

     

    Did you raise an internal bug?

    Because if we can only see the firewall rules we create and not the implicit hidden rules that are there, then the Log Viewer needs to consistently report ONLY against the rules we create.

    If the confusion is being created because the Log Viewer is correctly reporting the policy behaviour of the visible AND hidden rules, then we need to be able to see ALL the rules so our world view of the rules and their precedence align with what Log Viewer is telling us.

    I can't trust Log Viewer when analysis of underlying log files and command line output tells me something different (e.g. Log Viewer tells me an e-mail is sent correctly, while awarrenmta.log has logged delivery failure and remote mail server logs agree with what's in awarrenmta.log).

  • 0 in reply to FloSupport

    We thank you for looking at this, but what are we supposed to think here ? It's hard to rely and have confidence in a product that decides what's good for the user or not.

    Again, if we compare with Checkpoint, they have many implicit rules, and we clearly see them in the rule set.  We can also manage them by activating it or not, and by defining if they are last, before last, first, et.c.  And it has been like this for three decades.  It is not like fresh news let's say ...

    Sophos engineer is asking us to navigate blind.  We have no clue what's in the "0" rule, or where it is in the priority list.  Or how many of these "0" rules there are.  All logs related in the ACL seems to be dumped in the same can as the clean-up task's logs.  And all of this in a much broken fashion.  That is not desirable. clean, or in par with the industry's best practices.

     

    Is this gonna be fixed ? 

  • 0 in reply to Big_Buck

    Hey  and  

    I will notify the appropriate team in regards to this issue. However, please visit this feature-request submitted by  to our Sophos Ideas page and upvote it for more visibility in the meantime.

    Regards,

    FloSupport | Community Support Engineer

Reply Children
No Data