Clean Up rule "from any, to any, drop" that's allowed on the Internet anyway !!! WTF ?

Hi Big_Buck,

that screenshot I supplied was just a cut from the log of the failing messages all the rest of the messages in the logviewer are all as expected with valid rule IDs. I was receiving a lot of odd messages, but realised I hadn't added the failig devices to the clientless lists which when done removed the messages.

In theory some of your issues are supposed to be resolved in MR-2 when it is released.

Ian

Hello

MR-2 addresses VPN multiple problems mostly I understand.  That said, I instinctively think there's a problem with routing since my logs indicates from traffic from lan port1 to lan port1 that actually goes on the internet.  Routing fucked up ??? VPN and routing are not far apart ...

Hi Big_Buck,

your questioning has made me investigate my XG further. I changed most of rules to not use ANY, but WAN and LAN, the logviewer still fills up with junk. I powered off one device for a while to see if that would fix some of the strange entries no luck.

Beside the denied packets, I also see valid connections with only one port, the internal one. Now this could point at a dud piece of copy code.

I see a number of my devices having dropped connections to AWS addresses in the US, not sure why.

I have been very critical of the XG product team's lack of QA in past betas and it hasn't improved. The QA process is broken and the QA manager needs to be sacked because the same errors get through with each version. Billybob has had a number of things to say on the subject as well.

Ian

I was on the impression that when there were no port, it was mostly because it was originating or destined to the firewall itself ... Or broadcast ... Or some other stuff like that.

Hi Big_Buck,

now you have me very intrigued so I have started fiddling with the configuration.

1/. Shutdown and restarted the XG

2/. I have 2 VOIP phones on their own vlan, nothing registered in the logviewer even though the firewall rule shows traffic

3/. my second ISP connection never shows in the logviewer even though there are active users on the vlan connected to it.

4/. you can't have the same names used for different functions even though you can't select that original name eg network groups and clientless users or static IP assignments. You cannot select the static IP address, but you cannot create a network group with the same name.

Off to do some more experiments.

Ian

Update: very annoyed, just found that most of my configuration was wrong. Somewhere in one of my tests I must made some not so obvious changes. Just put it back the way it was supposed to be, but with "any" changed to more specific identities. Still can't see the VoIP traffic. There is lots of other traffic though. Had to fire up a number of other network devices.

Yeah, this would be a serious issue if the Log Viewer was truly reflecting what's happening.

Unfortunately the Log Viewer is mostly broken and doesn't report correctly on what the device is doing.

If you want to really know what's happening access the XG Firewall via SSH and use the command line tools.

The GUI is useful for creating objects, rules, interface status and the occasional report. Serious log analysis using the GUI will just leave you frustrated, confused, no hair and an endless stream of swearing.

2018 soon and still stuck using CLI ... 

Would you happen to have a list of those commands ?

Thanks

Hundreds of "allowed" traffic on the clean up rule today.

To update the thread in regards to the allowed traffic that Big_Buck was experiencing, we were able to perform a remote session together to further investigate.

The traffic that was being passed was his local Sophos Access Points communicating with the internal Sophos XG interface to establish a tunnel. The XG will listen for this local access point traffic regardless of what firewall rules are in place. With the clean up rule disabled, the access point traffic was still being allowed and received by the XG by the default rule 0. It was just interesting that the traffic was matching to this cleanup rule when viewed in the log viewer. Perhaps because the rule is encompassing "any>any". I have noted this and will followup to attempt to replicate with our internal team to report.

The other traffic that was being allowed was ICMP pings, however this may have been caused due to Pings being allowed on the WAN zone via the local service ACL.
We also disabled this during our troubleshooting call which I hope will resolve this.

Regards,

FloSupport | Community Support Engineer

The official CLI documentation is here:

Sophos Firewall Command Line Reference Guide v16.5

Also there's a bunch of logfiles in /var/tslog. awarrensmtp.log and awarrenmta.log in particular are useful for Legacy Mode and MTA Mode troubleshooting respectively.