Guest User!

You are not Sophos Staff.

Thread Info
  • Replies 0 replies
  • Subscribers 25 subscribers
  • Views 2388 views
  • Users 0 members are here
Options
Suggested

When a Firewall Rule was created

emmosophos

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

To know the date a Firewall Rule was created you can do the following.

In our scenario, we just created Firewall Rule #8 with the name Test_Date.

1) Using the Log Viewer: Filter by Admin, then you can filter using the word "Firewall Rule" in the search box, or by the name of the Firewall Rule

2) Checking in the Logs: Open an SSH connection to the Sophos, go to the Advanced Shell (5 > 3), change your directory to log (cd /log), filter the firewall_rule log using the following command: 

#grep "Test_Date" firewall_rule.log 

Sophos115_XN02_SFOS 17.5.9 MR-9# grep "Test_Date" firewall_rule.log
2020-01-10 14:40:05: Firewall - Event: ADD for rule Test_Date. Firewall has 15 rules configured.
2020-01-10 14:40:15: Firewall - Event: MOVE. Firewall has 15 rules configured. First rule details => id: 1, name: Wifi_to_WAN, type: 2, schedule: , Active: 1 . Last rule details => id: 8, name: Test_Date, type: 1, schedule: , Active: 1. Total iptables chains: 15. First template is fw1_mark_mpre. Last template is fw8_mark_mpre.
2020-01-10 14:40:15: Firewall - Event: MOVE. Firewall has 15 rules configured. First rule details => id: 1, name: Wifi_to_WAN, type: 2, schedule: , Active: 1 . Last rule details => id: 8, name: Test_Date, type: 1, schedule: , Active: 1. Total iptables chains: 15. First template is fw1_mark_mpre. Last template is fw8_mark_mpre.
2020-01-10 14:40:16: Firewall - Event: ADD for rule Test_Date. Firewall has 15 rules configured. First rule details => id: 1, name: Wifi_to_WAN, type: 2, schedule: , Active: 1 . Last rule details => id: 8, name: Test_Date, type: 1, schedule: , Active: 1. Total iptables chains: 15. First template is fw1_mark_mpre. Last template is fw8_mark_mpre.

If the logs have rotated you won't be able to see when the firewall rule was created, however, you can always check in the data base.

3) Checking in the Data Base: (For this you would need to know the Firewall Rule ID)  Open an SSH connection to the Sophos, go to the Advanced Shell (5 > 3), and type the following:

# psql -U nobody corporate -c "select * from tblfirewallrule where ruleid='8'" -x;

-[ RECORD 1 ]-------+------------------------------
ruleid | 8
sourcezoneid |
destzoneid |
firewallaction | 1
ruletype |
attachidentity | f
snatprofileid | 1
webfilterid |
appfilterid |
idpid |
scheduleid |
logginglevel | 1
bandwidthid |
isenable | 1
nextorderid | -1
description |
name | Test_Date
wcatbasedbwpolicy |
routingpolicy | 0
imscanning | 0
appbasedbwpolicy |
dscpval | -1
wafscanning | 0
isuseractdisable | f
ipfamily | 0
nattype | 1
icapprofileid |
policytype | 1
heartbeat | 0
minpermittedhb | 3
ftp | 0
http | 0
https | 0
smtp | 0
smtps | 0
pop | 0
pops | 0
imap | 0
imaps | 0
isreflexive | 0
datatransfer | 0 B
islive | f
createdat | 2020-01-10 14:39:59.477903-08



Updated Disclaimer
[edited by: Erick Jan at 9:58 AM (GMT -7) on 17 Apr 2023]
Unfiltered HTML