This article provides recommendations on how to add a Drop ALL firewall rule to log dropped traffic without interrupting other services. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Sophos XG Firewall has a built-in Drop ALL firewall rule - policy ID #0, which is embedded into the system by default. This rule is always at the bottom of the firewall rules list and contains a built-in exception from/to the implicit LOCAL ZONE to some preprovisioned service, such as:
As this local Drop ALL policy does not log dropped traffic (more information in Sophos XG Firewall: Firewall rule 0 explanation) and is not visible in the GUI when looking at the firewall rule list panel, some administrator may creates an ANY-ANY firewall rule wrongly, like this:
However, this policy will follow the top-down sequence, which will take precedence over the local Drop ALL rule, consequently the exceptions of the service ports listed above will not take place (considering that these exceptions are only possible with the local Drop ALL policy ID#0.
Is not recommended create ANY-ANY(Zone) DROP policy. Always select the zone name, in the source and destination, when creating new rules. By selecting every destination zone (rather than ANY) the internal services will still work correctly.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.