This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Immutable fwrule IDs

Example log:

<30>2019:10:15-08:29:51 gateway ulogd[18690]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="32" initf="eth6.110" outitf="eth1" srcmac="00:24:06:aa:aa:aa" dstmac="00:1a:8c:bb:bb:bb" srcip="192.168.x.y" dstip="192.0.2.74" proto="6" length="52" tos="0x00" prec="0x00" ttl="63" srcport="50421" dstport="443" tcpflags="ACK"

I really like the fwrule="32" info in the log data for troubleshooting. But whenever I add a firewall rule, all subsequent rules (higher fwrule IDs) will increment their fwrule IDs by one, thus breaking the log/fwrule association for all past logs.

Is there any "immutable" identifier for rules which can help to associate past log data with current fw rulesets? And if not, what are the best practices for workarounds?



This thread was automatically locked due to age.
  • I think an "immutable" identifier is not in the fw log.
    Just an idea. It may be possible to get the name or description of the fw rule via REST API. Dump that as reference for that firewall log.

    Best regards

    Alex

    -

  • There is a way to retain rule numbers over time...

    I like to add disabled rules in the rule list that can later be made into active rules.  It's convenient to have two at the top and others spread throughout that can be used for testing as well as new rules that are enabled.

    I believe that adding extra rules that are disabled does not result in increasing the number of lines of actual code generated by the configuration daemon.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA