Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 71 replies
  • Subscribers 37 subscribers
  • Views 139836 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clean Up rule "from any, to any, drop" that's allowed on the Internet anyway !!! WTF ?

Big_Buck

Hello  Can anyone explain that to me ?

I have a clean up rule (no 3) "from any, to any, drop" that allows traffic on the Internet anyway !!!.  See the rule and the log below.

Is it me, or this is a very serious issue ?



This thread was automatically locked due to age.
  • 0

    Hello  Can anyone explain that to me ?

    I have a clean up rule (no 3) "from any, to any, drop" that allows traffic on the Internet anyway !!!.  See the rule and the log below.

    Is it me, or this is a very serious issue ?

    Big_Buck,

    In your first photo where you are creating the firewall rule, look at Action (under Rule Name at the top).  The Action is the clean up rule.  You must choose to ether Accept all or Drop All or Reject all.  This means that anything that is not covered in the Advanced section (lower down) will either be Accepted, Dropped, or Rejected (whichever you chose).

  • 0 in reply to David Birdsall

    Hi David,

    I hope you have posted before you finished writing your post because what you posted is a little strange? You have repeated what the rule already does in theory.

    Ian

  • 0 in reply to David Birdsall

    Hello David

    I'm not sure I follow you here ...  It seems obvious to me that "Clean Up Rule" is the name I have given to this rule and that "DROP" is selected.

    PJR

  • 0

    Hi,

    Thank you for the feedback.

    We have gone through the details and confirmed that traffic is always getting denied.

    However, we suspect such logging event(s) are getting generated when, a connection initially passes through "ACCEPT" Firewall rule and later on from the "DROP" Firewall rule.

    Possible reasons ( for such ESTABLISHED/ONGOING connection ) are,

    - User(s) logout

    - Add/Update/Delete/Enable/Disable/Move in Firewall Rule Table

     

    Also note that,

    - When traffic is allowed, firewall logs the traffic when connection termination happens ( via client, server or timeout )

    - When traffic is denied, firewall logs all the denied packets

     

    Ex:- Consider below scenario where rules are configured in given order,

    Rule 1: User based rule with action 'ACCEPT' and 'Logging Enabled'

    Rule 2: Non-user based rule with action 'DROP' and 'Logging Enabled'

    In this case,

    - When user logs in and initiate a connection, it will match with Rule 1

    - User logs out ( by him/herself or logged out by firewall ), ongoing connection will start following Rule 2

    - Traffic is now getting denied due to "DROP" action and denied packets will be logged immediately with correct rule id and action

    - Issue happens, when firewall gets the connection termination event ( due to timeout ), it logs it with new rule id ( i.e Rule id 2 ) and "Allowed" action ( We identified this as an issue in the product )

    Regards,

    Deepti

  • 0 in reply to Big_Buck

    Big_Buck said:

    Hello David

    I'm not sure I follow you here ...  It seems obvious to me that "Clean Up Rule" is the name I have given to this rule and that "DROP" is selected.

    PJR

    Ian and Big_Buck/PJR,

    In your example above, I assume the "Clean Up" rule is in last priority after Firewall Rule 3 because something in Advanced in Firewall 3 set to Allow specific traffic.

    If you set your firewall rules properly, there is no need to have a separate "Clean Up rule".  That practice is unnecessary in Sophos XG Firewall.  If you make a separate "Clean Up" Firewall rule with an Action of Drop/Reject with no settings in Advanced, the firewall rule will either stop all traffic or it will stop nothing.

    The Firewall Rule is actually set in the Advanced section.  Go to the Advanced section first to identify the traffic you want to Allow or Deny.  Make all the appropriate policy settings in Intrusion Protection, Traffic Shaping Policy, Web Policy, and Application Control.  The policies can only be set to Allow or Deny.  The traffic that is not addressed by the policies in Advanced will be "cleaned up" by your choice of Accept, Drop, or Rejected in the Action section.

    In other words, There are basically two general ways to set up a firewall rule in XG.  You can set Action to Drop/Reject all with the Advanced section identifying traffic to Allow.  The opposite is to set Action to Accept all with the Advanced section set to Deny specific traffic.  When you first get your Sophos XG Firewall and set it up, the Default_Network firewall rule is set to Accept all, and all the default policies (Intrusion Protection, Traffic Shaping Policy, Web Policy, and Application Control) identify traffic to Deny.  Regardless of how you set your policies, it is best to set all your firewall rules the same way so they are easy to troubleshoot.

    There are two other sections you must also review.  In the firewall menu on the left, click on Web in the Protect section. Then choose Exceptions in the Web menu, in the center of the screen.  Anything listed in this section will bypass all firewall rules.  Also check URL Groups in the Web Menu.  The URLs grouped here can be applied in various ways to the Web Policies in your firewall rules.  The default URL Group of Blocked_URLS_for_Default_Policy is a section where you identify groups of URLS that are blocks by the Default Policy in Web Policies.

  • 0 in reply to David Birdsall

    I may be an idiot after all ...  Could you post a screen shot where the "Advanced Section" is ? We see the word "Advanced" everywhere in XG ... Marketing Stuff ...

    PJR

  • 0 in reply to Big_Buck

    I may be an idiot after all ...  Could you post a screen shot where the "Advanced Section" is ? We see the word "Advanced" everywhere in XG ... Marketing Stuff ...

    PJR

    The Advanced section should be in your photo, just above Log Traffic.  Look in another User/Network Rule (or create a new one).

    In the example below, All traffic is Allowed except for what is outlined in Mike's Web Policy and Mike's App Filter.

  • 0 in reply to David Birdsall

    Hello David,

     

    In the case of a "Drop" or "Reject" rules, this "Avanced" section as well as the "Web Malware and Content Scanning" will not shop up.  i.e. It shows up only on "Accept" rules.  So, how can your statement:  "In other words, There are basically two general ways to set up a firewall rule in XG.  You can set Action to Drop/Reject all with the Advanced section identifying traffic to Allow." work ?

     

    PJR

  • 0 in reply to Big_Buck

    Big_Buck said:

    Hello David,

    In the case of a "Drop" or "Reject" rules, this "Avanced" section as well as the "Web Malware and Content Scanning" will not shop up.  i.e. It shows up only on "Accept" rules.  So, how can your statement:  "In other words, There are basically two general ways to set up a firewall rule in XG.  You can set Action to Drop/Reject all with the Advanced section identifying traffic to Allow." work ?

    PJR

    Yes, that is strange.

    According to your log (in your photos), Firewall Rule 3 is allowing some traffic.  Have you checked Firewall Rule 3 or any other firewalls rules to see if those sections are missing from those rules too?  Without those two sections, your firewall will allow all traffic and may not be scanning anything.

    Have you tried making a new User/Network Rule?  If you have tried making new firewall rules and those sections are still missing, I would contact Sophos Support: https://www.sophos.com/en-us/support.aspx

  • 0 in reply to David Birdsall

    Hi David,

    did you see the detailed response above from deepit?

    Ian