This article provides a table view of what the fwrule="" field means in the firewall (packetfilter) log file. The following sections are covered:
Applies to the following Sophos products and versions Sophos UTM Software Appliance
The firewall log will normally display a rule number for each entry. When using manual firewall rules with logging enabled, this will be shown. It will also show automatic drops by the UTM (for example, if no rule matched). These are denoted by rule numbers in the reserved range (60000).
The UTM cannot forward traffic that is sent to a Masqueraded WAN IP address unless it was requested by a client behind the UTM, or there is a NAT rule to redirect the traffic to an internal server (with the exception of services running on the UTM itself). If a packet arrives and is not for one of the UTM's services, and it is not part of an established connection, and there is no NAT rule for it, it will be dropped as fwrule 60001.
Most of the time, fwrule="60001" means that you need to configure a NAT rule (likely DNAT), or review the configuration of your existing NAT because the packet is not matching the intended rule. Check for Interface Binding, that the source and destination port are correct, that you are matching the correct procotol (TCP, UDP, Both), and that the IP addresses are correct.
Rule 60002 generally means the traffic was not destined for the UTM, and no firewall rule matched that packet (also, no transparent interception was applied). This is known as a 'Default Drop', because by default, packets with no matching firewall rule are dropped.
To resolve this issue, please create a firewall rule matching the traffic's source, service, and destination. In the case where transparent interception should apply, please check that the source or destination host/network isn't included on a transparent interception skip list.
The firewall rule 3XXXXXXXXX are the DNAT automatic firewall rules while the 62XXX are the masquerading rules.
2019:04:08-11:21:55 galaxy ulogd: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="3000000014" initf="eth0" outitf="eth3" srcmac="00:50:56:c0:00:01" dstmac="00:0c:29:93:cc:85" srcip="192.168.168.1" dstip="172.30.30.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="57051" dstport="51130" tcpflags="SYN"
2019:04:08-11:22:05 gemini ulogd: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62003" initf="eth0" srcmac="00:0c:29:93:cc:a3" dstmac="00:0c:29:69:57:8b" srcip="192.168.168.1" dstip="172.30.30.1" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="57096" dstport="51130" tcpflags="SYN"
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.