This articles explains why the Invalid Traffic log entries shown in Log Viewer.
Note: It is only critical to worry about Invalid traffic entries if there is problem of disconnection or inaccessbility. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Sometimes, some Invalid Traffic log entries are perceived in Log Viewer like the following:
Starting firmware version 17, Invalid Traffic are enabled by default in Log Settings.
TCP uses flags to control the state of an open connection. These flags are usually one of the following:
The XG Firewall implements a connection tracking system (conntrack), this system will follow all TCP sessions through the XG Firewall (as well as certain UDP and ICMP sessions).
The XG Firewall will check the data packets for conntrack entries. The conntrack entries will be generated by sending connection initializing packets, for example, TCP SYN or ICMP echo requests. If someone tries to send a packet which does not match to an existing connection, for example, TCP ACK or ICMP echo reply and the XG Firewall cannot find a matching TCP SYN or ICMP echo request via the conntrack entry, the data packet is invalid and will be dropped. A record will be written to the XG Firewall log.
Please also take note that TCP RST and TCP FIN packets are dropped by all firewall to prevent TCP RST/FIN attack. These are dropped by the XG Firewall as Invalid Traffic which is normal.
The default value of the Tcp Connection Establishment Idle Timeout configured in the XG Firewall is 10800 seconds (3 hours). That's mean after 3 hours of idle time, the conntrack entries expires and if a user tries to send a packet, it won't match any connection in the conntrack table, the XG Firewall then drops the packet and log it as an Invalid Traffic and forward this same packet with its new connection id.
To verify the current configured Tcp Connection Establishment Idle Timeout value, login to the command line interface (CLI) and choose option 4. Device Console to run the following command:
To not trigger a lot of these Invalid Traffic log entries, you need to increase the Tcp Connection Establishment Idle Timeout value.
As an example, the following command increases the Tcp Connection Establishment Idle Timeout value to 6 hours (21600 seconds).
set advanced-firewall tcp-est-idle-timeout 21600
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.