V18 Log and block all dropped traffic not working

Hello,

I created before the default greyed out Drop all rule a new rule to log and block all traffic. The same as this recommended post: https://community.sophos.com/products/xg-firewall/f/recommended-reads/118125/sophos-xg-firewall-v17-5-how-to-log-all-dropped-traffic-without-interrupting-other-services
Like this:

 
DROP_ALL
in 0 B, out 6.98 MB
LAN, Any host
WAN, Any host
Any service
#11
Drop
 

But DNS traffic is blocked:

2020-07-23 20:58:46
Firewall Rule
Denied
 
11
0
Port1
Port2
192.168.1.x
8.8.8.8
49291
53
UDP
1
00002
Open PCAP

And https/http is not blocked:

2020-07-23 20:58:46
Firewall Rule
Allowed
 
11
0
Port1
 
192.168.1.x
216.58.214.3
56820
443
TCP
1
00001
Open PCAP

Any ideas?

  • Hi,

    please post a screenshot of your drop rule. I assume your deny rule is at the top of the rule list?

    Is that connection using an IP or a URL?

    The reason I ask is because the second report has used the http proxy.

    Ian

  • In reply to rfcat_vk:

    As requested a screenshot:

    As you can see no web protection and application filtering are on, but below it isn't.

     

    The rule is above the standard drop all rule.
    When the drop rule is active traffic is blocked in the webfiltering, http/s is allowed. When creating a new rule to allow traffic on http/https webfiltering stop giving me content, when enable webfiltering everything is allowed.
    Turning off stops the traffic flow, traffic is hitting the firewall new rule.
    Disabling this rule traffic is hitting the drop all rule for a couple of seconds and allows it again, and the traffic is blocked again in the webfiltering.

  • In reply to Rijsbol:

    Hi,

    you do not need you drop rule, the default rule works and your setup has the possibility f causing confusion with packed flow.

    Ian

  • In reply to rfcat_vk:

    Ok, i removed the rule and everything is blocked, but i can't see the blocked traffic. Only the allowed.
    The greyed out drop rule confused me, I there is a drop rule show it as enable and disable the delete button.

  • In reply to Rijsbol:

    Hi,

    that rule was made visible by a large number of requests from forum members. It is showing that the XG drops all traffic that fails to meet a firewall rule. It is identified as firewall rule 0.

    Look in. Log viewer using filters for your IP.

    ian