Clean Up rule "from any, to any, drop" that's allowed on the Internet anyway !!! WTF ?

Hello  Can anyone explain that to me ?

I have a clean up rule (no 3) "from any, to any, drop" that allows traffic on the Internet anyway !!!.  See the rule and the log below.

Is it me, or this is a very serious issue ?

Big_Buck,

In your first photo where you are creating the firewall rule, look at Action (under Rule Name at the top).  The Action is the clean up rule.  You must choose to ether Accept all or Drop All or Reject all.  This means that anything that is not covered in the Advanced section (lower down) will either be Accepted, Dropped, or Rejected (whichever you chose).

Hello David

I'm not sure I follow you here ...  It seems obvious to me that "Clean Up Rule" is the name I have given to this rule and that "DROP" is selected.

PJR

Big_Buck said:

Hello David

I'm not sure I follow you here ...  It seems obvious to me that "Clean Up Rule" is the name I have given to this rule and that "DROP" is selected.

PJR

Ian and Big_Buck/PJR,

In your example above, I assume the "Clean Up" rule is in last priority after Firewall Rule 3 because something in Advanced in Firewall 3 set to Allow specific traffic.

If you set your firewall rules properly, there is no need to have a separate "Clean Up rule".  That practice is unnecessary in Sophos XG Firewall.  If you make a separate "Clean Up" Firewall rule with an Action of Drop/Reject with no settings in Advanced, the firewall rule will either stop all traffic or it will stop nothing.

The Firewall Rule is actually set in the Advanced section.  Go to the Advanced section first to identify the traffic you want to Allow or Deny.  Make all the appropriate policy settings in Intrusion Protection, Traffic Shaping Policy, Web Policy, and Application Control.  The policies can only be set to Allow or Deny.  The traffic that is not addressed by the policies in Advanced will be "cleaned up" by your choice of Accept, Drop, or Rejected in the Action section.

In other words, There are basically two general ways to set up a firewall rule in XG.  You can set Action to Drop/Reject all with the Advanced section identifying traffic to Allow.  The opposite is to set Action to Accept all with the Advanced section set to Deny specific traffic.  When you first get your Sophos XG Firewall and set it up, the Default_Network firewall rule is set to Accept all, and all the default policies (Intrusion Protection, Traffic Shaping Policy, Web Policy, and Application Control) identify traffic to Deny.  Regardless of how you set your policies, it is best to set all your firewall rules the same way so they are easy to troubleshoot.

There are two other sections you must also review.  In the firewall menu on the left, click on Web in the Protect section. Then choose Exceptions in the Web menu, in the center of the screen.  Anything listed in this section will bypass all firewall rules.  Also check URL Groups in the Web Menu.  The URLs grouped here can be applied in various ways to the Web Policies in your firewall rules.  The default URL Group of Blocked_URLS_for_Default_Policy is a section where you identify groups of URLS that are blocks by the Default Policy in Web Policies.

I may be an idiot after all ...  Could you post a screen shot where the "Advanced Section" is ? We see the word "Advanced" everywhere in XG ... Marketing Stuff ...

PJR

I may be an idiot after all ...  Could you post a screen shot where the "Advanced Section" is ? We see the word "Advanced" everywhere in XG ... Marketing Stuff ...

PJR

The Advanced section should be in your photo, just above Log Traffic.  Look in another User/Network Rule (or create a new one).

In the example below, All traffic is Allowed except for what is outlined in Mike's Web Policy and Mike's App Filter.

Hello David,

In the case of a "Drop" or "Reject" rules, this "Avanced" section as well as the "Web Malware and Content Scanning" will not shop up.  i.e. It shows up only on "Accept" rules.  So, how can your statement:  "In other words, There are basically two general ways to set up a firewall rule in XG.  You can set Action to Drop/Reject all with the Advanced section identifying traffic to Allow." work ?

PJR

Big_Buck said:

Hello David,

In the case of a "Drop" or "Reject" rules, this "Avanced" section as well as the "Web Malware and Content Scanning" will not shop up.  i.e. It shows up only on "Accept" rules.  So, how can your statement:  "In other words, There are basically two general ways to set up a firewall rule in XG.  You can set Action to Drop/Reject all with the Advanced section identifying traffic to Allow." work ?

PJR

Yes, that is strange.

According to your log (in your photos), Firewall Rule 3 is allowing some traffic.  Have you checked Firewall Rule 3 or any other firewalls rules to see if those sections are missing from those rules too?  Without those two sections, your firewall will allow all traffic and may not be scanning anything.

Have you tried making a new User/Network Rule?  If you have tried making new firewall rules and those sections are still missing, I would contact Sophos Support: https://www.sophos.com/en-us/support.aspx

Hi David,

did you see the detailed response above from deepit?

Ian

rfcat_vk said:

Hi David,

did you see the detailed response above from deepit?

Ian

Ian, yes I did.

deepit describes a situation where you have two firewall rules with different Identity settings.  Rule 1 is based on the default setting of Match known users in the Identity seciton.  Rule 2 is not matching known users.  Deepit describes the outcome I would expect on that setup.

Based on Big_Buck's photos, there are at least 3 firewall rules on Big_Buck's firewall, but the settings for those are unknown.  This means we have no idea if deepit's situation applies.

Hi David,

where I am having trouble with Big_Bucks drop everything rule is it does not hide all those extra bits you are pointing to. I posted my original drop all rule which I have since removed  (you can see it in an earlier post in this thread) and it does not have any extra fields as a normal rule does.

I have just created it again and still no extra (advanced ) fields. I changed the rule to accept then updated all the missing fields to drop all and added MASQ and a gateway, then saved the rule. Edited the rule and changed it to drop and all the advanced features were gone again.

Some wild thoughts, if you filled in all those fields before making the rule a drop rule what happens to the values, does the drop rule acttually empty those fields or just mask them? If so what is the likely affect?

Ian

It is VERY logical to me the "Advanced" section disappear on a drop rule.  If you drop it, you will not perform any function listed in the "Advanced" section anyway !!! Why would you scan a packet destined to be dropped ?  So why show the "Advanced" section then ?

PJR

It is VERY logical to me the "Advanced" section disappear on a drop rule.  If you drop it, you will not perform any function listed in the "Advanced" section anyway !!! Why would you scan a packet destined to be dropped ?  So why show the "Advanced" section then ?

PJR

I understand, I was trying to make sense of David's post about the advanced section of your drop rule.

Ian