Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article explains different packets dropped by Sophos Firewall and help beginners to find out the cause of packet drop.

Log Viewer

Packets dropped by the following security features are displayed in Log Viewer.

• Firewall,
• Web Filter,
• Application filter,
• IPS,
• Advanced threat protection
• SSL/TLS inspection
• Web server protection

Note: Log Viewer keeps a limited number of records. It’s recommended to check the Log Viewer from time to time before the record gets rotated.

Firewall (Invalid traffic)

To view packets dropped by the firewall, go to Sophos Firewall web admin> Log Viewer, and then choose logs of the Firewall in the drop-down menu.

To make the Firewall page easy to read, I recommended resetting the columns.
Click the "Add/remove columns" button, and then click "Reset to default"

To Filter the dropped packet, click "Add filter", and set "Log subtype, is not and Allowed". See screenshot below for reference.

Kindly note, that dropped packets marked with Invalid Traffic, Denied, firewall rule N/A  isn’t a problem in most cases, no need to worry about them.

There are several types of Invalid Traffic.

• Invalid packet
  The most common one is the "Invalid packet", which is TCP RST or TCP FIN packet. They’re dropped by all stateful firewalls to prevent TCP RST/FIN attacks.
  
  
  
• Could not associate packet to any connection
  Another type is "Could not associate packet to any connection", which refers to a dropped packet that does not belong to a connection.
  
  
  Sophos Firewall checks the data packets for conntrack entries. Conntrack entries are generated when connection initializing packets are sent, for example, TCP SYN, or ICMP echo requests.
  If a host sends a packet that doesn't match any established connection, Sophos Firewall drops it and logs it as an invalid traffic event.
  More detailed explanation can be found at Sophos Firewall Administrator Help > Invalid traffic events.
  Please note "Could not associate packet to any connection" can be caused by asymmetric routing.
  
  
• Invalid packet. No ICMP record found.
  Sometimes, the message, “Invalid packet, no ICMP record found” is shown.
  This refers to a dropped ping reply without a ping request.
  These ping reply packets should not be forwarded, as they could be cyberattacks.
  

Web filter

Sophos Firewall web admin> Log Viewer > Web filter shows packets dropped by Web filter.

To show dropped packets only by clicking on "Add filter", please set "Log subtype is not Allowed"

Here is the example that internal computer 192.168.20.7 cannot access website http://line.me, category of the website is "Online chat", and related firewall rule ID is 5.

Go to Sophos Firewall web admin> Rules and policies, and check the details of the firewall rule ID 5. Web policy "No Online Chat" is applied.

Therefore, Sophos Firewall denied the web access as configured.

Application filter

Sophos Firewall web admin> Log Viewer > Application filter shows packets dropped by the Application filter. 

Here, we see that a user is denied access to the destination and the traffic is identified as “Aloha Browser”, and the related firewall rule is ID 5.

Firewall rule ID 5 has application control turned on to block risk level 4 and 5 apps.
Therefore, Sophos Firewall denies the user access as configured.

IPS

Sophos Firewall web admin> Log Viewer > IPS shows packets dropped by Intrusion Prevention.

Here is the example that internal computer 192.168.15.15 can't download a file from 65.8.33.12, as the traffic was identified as EICAR. The related firewall rule is ID 5.

Firewall rule ID 5 has IPS enabled.
Therefore, Sophos Firewall dropped the traffic as configured.

Advanced threat protection

Sophos Firewall web admin > Log Viewer > Advanced threat protection shows packets dropped by Advanced threat protection.

Here is the example that internal computer 192.168.20.7 can't query DNS server 192.168.20.250 for a hostname, as Sophos Firewall detected the hostname is malicious and dropped the DNS query.

Go to Sophos Firewall web admin> Advanced Protection, we can see Advanced threat protection is enabled, and Policy is set to "Log and drop".
Therefore, Sophos Firewall dropped the packet as configured.

SSL/TLS inspection

Sometimes, SSL/TLS inspection might fail to decrypt a session and cause an error.

To view records of SSL/TLS inspection, go to Sophos Firewall web admin > Log Viewer, and then choose logs of SSL/TLS inspection.

Create a filter and set "Action is Error", to show errors.

In the example, internal computer cannot visit browser.events.data.msn.com, due to "TLS engine error: FLOW_TIMEOUT"

The error causes web access failure. We can configure Sophos Firewall to skip the website from SSL/TLS decrypt.

1. Edit the default URL group "Local TLS exclusion list" in Firewall web admin GUI > Web > URL groups
   
   
   
2. Add the website browser.events.data.msn.com, and then SSL/TLS inspection engine won't decrypt the traffic to the website.
   

Web server protection (WAF)

For traffic destined for servers protected by web server protection, Sophos Firewall might drop a packet if it’s identified as an attack.

To view packets dropped by web server protection, go to Sophos Firewall web admin > Log Viewer, and then choose logs of web server protection

In the example, source computer 10.176.205.52  isn’t allowed to access the web server due to "WAF Anomaly", and the firewall rule for WAF is ID 3.

Firewall rule ID 3 has web server protection policy enabled, 

Check details of the protection policy, we can see the Mode is set to Reject, and the Common threat filter is enabled.

Therefore, Sophos Firewall dropped the web server access as configured.

Troubleshooting

Asymmetric routing

In this example, PC and HTTP Server are connected by a Sophos Firewall.

However, the PC can't access HTTP service hosted on the server

Log Viewer > Firewall shows packet from the Server to the PC got dropped by Sophos Firewall with the reason "Could not associate packet to any connection"

To verify if the dropped packet is a problem or not, we need to capture packets.

In Sophos Firewall web admin, go to Diagnostics > Packet capture, and click Configure to add a packet filter.

We want to capture packets between the PC and the HTTP server, so we’ll enter the packet filter string “host 192.168.20.25 and port 80”.

Save the filter and turn on Packet capture.

Note:

• the packet filter string is case-sensitive.
• Once the packet filter string is changed, kindly turn it off and then turn on the packet capture to apply the new filter.
• Please turn OFF packet capture after the troubleshooting.

To reproduce the issue by attempting to access the HTTP server from the PC again, and then Refresh the page to view captured packets.

We can see Sophos Firewall received the reply packet from Server to PC, but no packets from PC to Server.
That indicates the problem of asymmetric routing in the network.

The solution is to fix asymmetric routing in the network.
Once it’s fixed, the PC can visit the HTTP Server.

Web filter

In the example, the internal computer behind Sophos Firewall has a problem visiting youtube.com, where the video preview  isn’t loaded.

To troubleshoot the issue,

1. Open the browser Developer Tools, go to the Network tab, and refresh the web page.
   Developer Tools shows 2 domains, yt3.ggpht.com and i.ytimg.com cannot be loaded
   
   
   
2. Go to Sophos Firewall web admin > Log Viewer > Web filter. It shows URLs on those two domains got denied, by firewall rule ID 8, when users visit youtube website
   
   
   
3. Go Sophos Firewall webadmin > Rules and policies > Firewall rules, firewall rule ID 8 was configured to drop traffic to those 2 domains.
   

Therefore, it is a mis-configured firewall rule.

Solution is to disable the firewall rule, and then the YouTube website can be loaded without any problem.

Application filter

In the example, LAN PC 192.168.20.19 cannot access FTP server on Internet.

We need to capture packets in Sophos Firewall webadmin to find out if Sophos Firewall forwards traffic between the LAN PC and the FTP server.

In packet capture, we need to provide an IP address, not hostname, so the first step is to query the IP address of the FTP server in nslookup command on the LAN PC.

The output of nslookup shows the FTP server has 2 IP addresses

To capture packets on both IP addresses, the packet capture filter is "host 10.176.200.51 or host 10.176.200.52".

In Sophos Firewall web admin> Diagnostics > Packet capture, toggle off packet capture, set the packet capture filter to "host 10.176.200.51 or host 10.176.200.52", and then toggle to turn on the packet capture.

To reproduce the issue on LAN PC, toggle OFF packet capture immediately.

We can see the FTP traffic from LAN PC to the external FTP server is controlled by firewall rule ID 5.

Check details of the firewall rule ID 5, and found application control policy Block high risk Risk level 4 and 5 apps were enabled.

The next step is to check if the FTP session is dropped by application control.

Go to Log Viewer > Application filter, it shows the FTP traffic is dropped, and application is "FTP Base".

Therefore, Sophos Firewall dropped the FTP connection as configured.

To work it around, we can disable application control in firewall rule ID 5.

Note: Another workaround is to create a new firewall rule for the FTP traffic without application control.

Dos Protection

In the example, remote access SSL VPN users can't download large files from the internal web server.

Users can log in SSL VPN and ping internal resources without problem.

Noticed remote access SSL VPN has been configured to work on UDP.

To troubleshooting the issue,

• I disconnected all other devices from Sophos Firewall, so that only that remote access SSL VPN user and the internal web server were connected.
  
  
  
• Then, go to Firewall web admin GUI > Intrusion prevention > DoS attacks.
  Refresh the page and notice the number of dropped UDP Flood had increased when the user was downloading a file.
  
  
  

That indicates UDP traffic of SSL VPN got dropped by Sophos Firewall due to DoS protection.

The workaround is to increase the default limit of UDP flood.
I also increased the default limit of TCP flood, as traffic from/to web server is on TCP.

Now, the remote access SSL VPN user can download files from the internal web server without any problem.

no firewall rule

Sometimes, we might experience the problem of ping failure.

In the example, PC 192.168.20.7 behind Sophos Firewall LAN Port1 can't ping another PC 192.168.15.15 behind Sophos Firewall LAN Port3.

To troubleshoot the issue, capture the packet to see if Sophos Firewall receives and forwards the ping packets.

Go to Sophos Firewall webadmin > Diagnostic > Packet capture, and enter "host 192.168.15.15 and ICMP" as the filter string, to capture the ping packet sent from/to 192.168.15.15

Reproduced the issue by ping, and then refresh the Packet capture page.

We can see Sophos Firewall received the ping packet sent by 192.168.2.0.7 on LAN Port1, but it didn't forward the ping packet to the destination with Status "Violation" and Reason "Firewall", which indicates no firewall rule allows the traffic.

Therefore, the solution is to create a firewall rule to allow the traffic.

Once the firewall rule for the traffic is created, 192.168.20.7 can ping 192.168.15.15.

Go back to Sophos Firewall web admin> Diagnostic > Packet capture, to capture packets again.

• Clear captured packets
• Refresh the page
• Started the ping again,

We can see 

• Sophos Firewall forwarded ping sent by 192.168.20.7 out on Port3
• it received the ping reply sent by 192.168.15.15 on Port3
• and forwarded the ping reply out on Port1 back to 192.168.20.7.

Routing

It’s possible that network access failure can be caused by routing issues, and packet capture can help us to identify that.

In the example, LAN PC 192.168.20.19 can't access PC 192.168.25.16 in a remote IPsec VPN network.

Let's check if Sophos Firewall receives the ping packet from LAN PC, and forwards it out into IPsec VPN tunnel.

Go to Sophos Firewall > Diagnostics > Packet capture, set the packet filter string to be "host 192.168.25.16 and ICMP", and toggle ON packet capture.

Reproduced the issue by ping from the LAN PC again,

Packet capture shows Sophos Firewall forwarded the ping packet out on Port5.

Port5 is the WAN interface on Sophos Firewall. Sophos Firewall should forward the ping packet out on IPsec VPN virtual interface, not the WAN Port5.

This is a routing issue. We need to check the routing configuration on the Sophos Firewall.

Go to Sophos Firewall webadmin > Routing > SD WAN routes, and find the SD-WAN route:

• any incoming interface
• any source networks
• any destination networks
• any application object, and
• any user.
• forwards the traffic out on Port5.

Therefore, the cause of the problem is Sophos Firewall forwards all traffic out on Port5, due to the SD-WAN routes.

The workaround is to make the SD-WAN applies to traffic only destined for internet.
Edit the Destination networks, and set it to "internet IPv4".

Now, the LAN PC can ping the PC in the remote IPsec VPN network.

If we capture the packet again, we can see Sophos Firewall forwarded the ping packet out on XFRM, which is the virtual interface of route-based IPsec VPN.

Note

• XFRM is the virtual interface for route-based IPsec VPN
• ipsec is the virtual interface for policy-based IPsec VPN

Summary

• there are different reasons for Sophos Firewall to drop a packet, including the following:
  • DoS protection
  • not allowed by any firewall rule
  • web filter
  • application filter
  • IPS
  • Advanced threat protection
  • SSL/TLS inspection
  • webserver protection
• invalid traffic in Log Viewer isn’t a problem in most cases, and we don't need to worry about it.
• A misconfigured route might cause problems in network access.
• Packet capture is a useful tool for network troubleshooting.

If a problem can't be identified by the steps above, please try to disable the following to find out which feature causes the problem:

• "Match known users" and all scanning in the firewall rule
• ATP
• IPS service
• SSL/TLS inspection engine in Sophos Firewall webadmin > Rules and policies > SSL/TLS inspection > SSL/TLS inspection Settings > Advanced settings
• firewall-acceleration
  Login to SSH terminal of Sophos Firewall as admin
  Go to 4. Device Console, and run the following commands
  system firewall-acceleration disable
  
  
• If the problem still remains after all steps above, kindly contact Sophos Support at support.sophos.com/support to investigate the issue further.

Updated Disclaimer
[edited by: Erick Jan at 2:03 PM (GMT -7) on 17 Apr 2023]