FOS18: Reject Rule is allowing traffic

Dear all,

I have just experienced a very strange issue in our XG running 18.0.0 GA-Build379. I have the two rules in place:

Rule 5: Allows HTTP & HTTPS from LAN to WAN
Rule 6: Log and Reject all traffic from LAN -> WAN and vice versa

1. When configuring the XG as explicit webbrowser on my client (xg:3128) I can access websites in WAN even though rule 5 does not allow tcp/3128 as service
2. Even more strange: The aforementioned access only works with rule 6 (Reject) being enabled!

You can see here in the logs that rule 6 is the one that allows access from the client to the webproxy on the XG - even though rule 6 has reject as action!!

If I disable rule 6 the client cannot access the webproxy anymore. The same happens if I change the rule action in rule 6 from Reject to Drop...

Any ideas?
Best Regards
Michael

  • Hi  

    Any specific reason to block WAN to WAN and WAN to LAN in Rule 6? WAN to LAN traffic (Inbound) is always blocked until a specific DNAT/firewall rule configured to allow the traffic to a specific internal destination.

  • In reply to Keyur:

    Hi Keyur,

    no, I just created the rule to Reject/Drop and Log all traffic as mentioned here from Sophos: https://community.sophos.com/products/xg-firewall/f/recommended-reads/118125/sophos-xg-firewall-v17-5-how-to-log-all-dropped-traffic-without-interrupting-other-services

    The rule in the KB article also blocks WAN to WAN and I don't want to create two separate rules for that (1x for LAN -> WAN and 1x for WAN -> LAN). I however can't imagine if that leads to the reject rule allowing traffic - or I am missing something fundmental here.

    /edit: Just tested - I can reproduce exactly the same behavior in vesion 17.5 So this is not related to the migration to v18!

    Best Regards
    Michael

  • That a taff question... 

    So there is the standard proxy, which will take traffic depending on the Rule in Device access. 

    The standard proxy (port3128) will accept the traffic, because Device Access allowing this one on the Port(Zone). 

    But the Firewall Rule will actually notice, there is matching traffic, what should i do? 

    As the Firewall Rule is likely hitting, the log viewer notice this one and put it into place as "Hey there was firewall traffic, which is hitting your rule, but i have to allow it, because of Device access".

    That is the "issue" here. 

    This issue will be resolved in a future version, whenever the Default Drop rule is able to log the dropped traffic. There are feature request to protocol this traffic. 

     

    Another point is: The Proxy in XG is both: Transparent and Standard at the same time. Therefore if you have HTTP/HTTPs enabled, you can actually communicate with the XG via Port 3128.

    Its the same like UTM. The Transparent proxy allows you to communicate with Port 8080. 

  • In reply to LuCar Toni:

    Hi Toni,

    thanks for your answer to this one as well. However, actually I'm not sure if I can follow you or if the situation you describe is actually the issue here. 

    But the Firewall Rule will actually notice, there is matching traffic, what should i do? 

    I guess you mean that the reject-all firewall rule matches because it basically set to Any-Any? In that case you could be right in that the HTTP/HTTPS traffic actually matches that rule. It might also be that the log viewer then handels as you describe and inadvertently reports this traffic as allowed.

    But I have another mysterious one: If I change the rule from REJECT to DROP, access to the web proxy stops working and the log viewer does not report those false positives anymore. Once the rule is set to drop, the behavior is exactly the same as when configuring a web proxy rule with http/https only but not specifying port 3128 (basically the issue from my other thread!).

    In generall it currently still seems to me that all the issues I reported have to do with the drop/reject all rule at the bottom, either the new default one from v18 or a manually created one.

    If someone from Sophos is interested in debugging with me I'm happy to help (I'm from Germany btw.).

    Best Regards
    Michael

  • In reply to layer9:

    Generally speaking it is hard to explain, what is happening here.

    As the proxy creates some sort of "own connection" , you are actually able to drop / reject the proxy own sessions.

    Thats the reason you are able to "destroy" your setup by configuration of a drop rule. The Traffic will not reach the Proxy, as the firewall will drop the traffic before reaching the proxy. 

     

    The "default drop rule 0" on bot on XG is simply a visibility tool. It shows the administrator, there is a deny, if no rule is matching. 

    Down side of this rule: There is no logging for traffic, which does not meet any firewall. So default drop is not logged. 

  • In reply to LuCar Toni:

    Thanks Luca, I guess I'll just leave it at that and remove the manually created drop rule as I don't think it's a good idea to use it in case of such strange effects. I'm rather waiting for Sophos to add logigng to the default drop rule then.

    Best Regards
    Michael