FOS18: Logging dropped traffic from WAN zome to WAN interface of XG does not seem to work

Dear all,

we're currently implementing an virtual XG 18.0.0 GA-Build379. The XG has one interface in the LAN zone with a private IPv4 address and one in the WAN zone with a public IPv4 address. I have read https://community.sophos.com/products/xg-firewall/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18 and found out that even though in FOS18 there is a default drop rule #0 at the end, traffic matched by this rule is not being logged.

As I would like to have all dropped traffic being logged I created a new firewall rule set to log and drop and inserted it before the default rule: https://community.sophos.com/products/xg-firewall/f/recommended-reads/118125/sophos-xg-firewall-v17-5-how-to-log-all-dropped-traffic-without-interrupting-other-services 

This works fine if i.e. the client 10.0.0.65 in the LAN zone tries to access service tcp/53 on host 8.8.8.8 in the WAN zone (which is not allowed by any other rule). In this case, traffic is being dropped and logged by the manually created drop rule (#6):

This is also reflected in the policy tester:

However, when trying to access the XG's WAN interface 172.13.71.138 on port tcp/40000 from another WAN host, traffic is being dropped and logged with rule name N/A:

And in this case Policy Tester shows that no matched rule is found:

Shouldn't the manually created Log & Drop rule match in this case as well? Here's a details screenshot of my Log & Drop rule:

Or do I have to create a special rule in order to log blocked traffic from WAN hosts destined for the WAN interface of the XG?

Thanks
Michael

  • Hi  

    Did you mean when you try to access XG WAN Interface IP with Port 40000 which is not actual port set in the configuration, the traffic is getting dropped but it is not showing any firewall rule?

  • In reply to Keyur:

    Hi Keyur,

    yes, exactly. There is neither a DNAT rule or local service for port tcp/40000 on the XGs WAN interface. As to my understanding, traffic to this port on the WAN interface should then be matched by my log & drop rule. However, no policy is matched and traffic is logged as blocked with N/A.

    Just also took a look with the tcpdump diagnostic web page and found that the incoming packet has a status of "Violation" with reason "Local ACL":

     

    So it actually seems there is something hidden in the background that leads to the log & drop rule not being matched.

    Thanks
    Michael

  • In reply to layer9:

    Hi  

    When the traffic is for XG firewall itself, the firewall rule will not come to the picture and before that, the traffic will be denied and log component will be shown as local Acl - https://community.sophos.com/kb/en-us/132814

  • In reply to Keyur:

    Hi Keyur,

    thanks, I didn't know that - but after considering that there are no visible firewall rules for the local services it kind of makes sense. I guess the manual log & drop rule would however match in the following case then:

    1. DNAT rule configured to port tcp/40000
    2. Firewall rule to tcp/40000 on WAN interface only allows access for source 8.8.8.8 
    3. Traffic from all other sources than 8.8.8.8 will match log & drop rule now

    Best Regards
    Michael

  • In reply to layer9:

    Hi  

    Please refer to this community thread for more context, it's not actually relevant to this issue but may provide more details to understand - https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/118893/geoip

  • In reply to Keyur:

    Perfect, thank you for your help!

    BR
    Michael

  • In reply to layer9:

    Hi  

    We glad that we could help you, please reach out to us for further assistance.