During scheduled time - overrides the reject setting in a firewall rule

I am using XG 17.5.0

I set a firewall rule based on IP to reject a connection therefore turning off network access to that device.  This works correctly.

When I add the "During scheduled time" by choosing School days as the option the network connectivity is allowed even though the rule is still set to "Reject".  The hour when this was tested was outside the allowable school hours.  

Is this a bug or am I missing something?

 

 

  • I'd like to clarify what I think is happening.  When the "During scheduled time" is active in the firewall rule, regardless of whether the device is in or outside the time frame for usage, the rule is bypassed.  I noticed I had no activity on that rule when I choose "School days" so the rule is being bypassed.  

    The question then is why is the rule being bypassed when "During Scheduled Time" options are utilized?  The rule works correctly when "all the time" is chosen. 

  • In reply to Nicholas Miles:

    The rule will need to be at the top of your rule list.

    Ian

  • In reply to rfcat_vk:

    Hmm ..the rule is at the top of the list.  I'm also unclear how this is supposed to fix the rule being bypassed when "During scheduled time" is used.

     

  • In reply to Nicholas Miles:

    Just making sure. Next thing to check is the time on the XG.

    I will add a time based rule to my XG as a test.

    Ian

  • In reply to rfcat_vk:

    I did check the time before posting and the time is correct on XG.  

  • In reply to rfcat_vk:

    Hi Nicholas,

    I setup a rule which failed because I have other rules further down the list which allow the client device to access the internet. The rule test will work its way down all rules until it finds there are none that match and then will log a failed/denied connection.

    If you wish to block access to the internet you need a active rule that has the time settings that specifically matches the device you want to block/allow. All other rules should be set that do not match the device concerned.

    I use DHCP static and clientless users/groups to control access on my networks.

    Ian

  • In reply to rfcat_vk:

    Again thanks Ian

    I have a rule that is related to a specific device.  The DHCP on the wireless box has the MAC address and assigns the IP (this is working correctly).  The Sophos XG then has a rule that the IP is to have access based on the "During scheduled time".  I can reject the device and it works, I can provide access and that works.  When I set the During schedule time to anything but "anytime" the rule is bypassed. 

    My understanding of the option "during scheduled time" is that it allows when a user can get access and when they cannot.  That being the case it doesn't work because it disregards the rule in firewall even if I set the rule to "reject".  

    Of course I can use other rules to block access to the specific device based on IP but that defeats the point of having a "During scheduled time" option in the rule.  

     

  • In reply to Nicholas Miles:

    Hi Nicholas,

    what rule do you see being used by the device when it is supposed to be blocked?

    Ian

  • In reply to rfcat_vk:

    I setup a device with the source as LAN and the source device (desktop computer)  has the specific IP which was setup under Hosts and Services (IP Host).  The destination zones and networks are any any.  This is the rule that is by-passed when using "During scheduled time" for anything but "anytime". 

     

     

     

  • In reply to Nicholas Miles:

    Hi Nicholas,

    what rule is being used when the bypass fails?

    Does you school hours block schedule look like this?

    Ian

  • In reply to rfcat_vk:

    essentially yes, with a few adjustment to the hours but otherwise the same.

  • In reply to Nicholas Miles:

    I applied that time rule to my VoIP firewall rule and was not able to make any calls.

    As advised earlier, I limit my device access to matching clientless access groups and if the device is not in that group there is no internet access.

    If you open log viewer and setup up the block rule then access the internet using the 'blocked' IP which rule is shown as being used?

    Ian

  • In reply to rfcat_vk:

    I finally got some time to review your comments and play with the firewall rules.  I was able to resolve this but it does seem counter intuitive.  Your comments were helpful in figuring this out. In the end I used two rules to accomplish what I wanted.  I cloned a second rule, right after the active rule, that simply rejects the device based on IP.  If I choose the "during scheduled time" rule and the time is outside the accessible time the rule get's bypassed and as a result gets rejected by the second rule.  

    Seems to be working for now. I'll be testing it more as the family uses the system this week.