Sophos Firewall: Invalid Traffic

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This Recommended Read explains what Invalid Traffic is. Since SFOS v17.0, there’s something called "Invalid Traffic" on XG.

What is Invalid Traffic

The documentation explains this as: 

"Sophos Firewall checks the data packets for conntrack entries. Conntrack entries are generated when connection initializing packets are sent, for example, TCP, SYN, or ICMP echo requests.

If a user sends a packet that doesn't match a current connection, Sophos Firewall logs this as an invalid traffic event.

All firewalls drop multiple TCP RST and TCP FIN packets to prevent attacks. Sophos Firewall drops these packets and records them as invalid traffic events."

It's important to understand the TCP Handshake and how a Connection works in TCP.

There are couple explanations available on the internet.

What is Conntrack

Conntrack (The Connection tracking daemon on XG), will keep track of all Connections.

  • After the Handshake is completed between a client and server, the connection is tracked on the XG.
  • Any side can "kill" this connection. Most likely this will be by a RST (Reset) or FIN (Finish) packets.
  • There are different reasons for a Server / client to send such packets.
  • But such packets will close and delete the connection on XG. Thats a normal way to act with such packets.
  • But if one site decides to send multiple packets or respond to such packets, it will gets dropped by XG with Invalid Traffic.

Most likely this isn’t an issue at all. If a service  isn’t working fine on the server side, the client will kill a session immediately and such traffic will be displayed as invalid traffic

There’s no issue on the XG at all. It is an issue with the Client/server.

Clean up process

Another point is such "clean up" processes. 

  • Web Server has a process or scheduled task to kill all "abandoned" sessions.
  • Most likely an abandoned session on a web server is a session, which had no traffic in X hours.
  • So the server will start to kill those Sessions and send multiple RST/FIN packets to the XG / Client behind the XG.

XG keeps such sessions for 3 hours per default. After 3 hours of idle, XG will delete this session. If the web server sends an RST packet after 5 hours, XG will drop such packets as invalid traffic.

You can increase the Conntrack Timeout value to 24 Hours. Or you could decide to disable such invalid traffic logging.

 

Personal opinion: I disable Invalid Traffic on all my Sophos Appliances because I have no value for such logging.



Updated Disclaimer
[edited by: Erick Jan at 10:24 AM (GMT -7) on 17 Apr 2023]
Parents Reply Children
No Data