Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
To know the date a Firewall Rule was created, you can do the following.
In our scenario, we created Firewall Rule #8 with the name Test_Date.
1) Using the Log Viewer: Filter by Admin, then you can filter using the word "Firewall Rule" in the search box, or by the name of the Firewall Rule
2) Checking in the Logs: Open an SSH connection to the Sophos, go to the Advanced Shell (5 > 3), change your directory to log (cd /log), filter the firewall_rule log using the following command:
#grep "Test_Date" firewall_rule.log
XG125_XN03_SFOS 19.5.3 MR-3-Build652# grep "Test_Date" firewall_rule.log
2023-10-10 14:40:05: Firewall - Event: ADD for rule Test_Date. Firewall has 15 rules configured.
2020-10-10 14:40:15: Firewall - Event: MOVE. Firewall has 15 rules configured. First rule details => id: 1, name: Wifi_to_WAN, type: 2, schedule: , Active: 1 . Last rule details => id: 8, name: Test_Date, type: 1, schedule: , Active: 1. Total iptables chains: 15. First template is fw1_mark_mpre. Last template is fw8_mark_mpre.
2020-10-10 14:40:15: Firewall - Event: MOVE. Firewall has 15 rules configured. First rule details => id: 1, name: Wifi_to_WAN, type: 2, schedule: , Active: 1 . Last rule details => id: 8, name: Test_Date, type: 1, schedule: , Active: 1. Total iptables chains: 15. First template is fw1_mark_mpre. Last template is fw8_mark_mpre.
2020-10-10 14:40:16: Firewall - Event: ADD for rule Test_Date. Firewall has 15 rules configured. First rule details => id: 1, name: Wifi_to_WAN, type: 2, schedule: , Active: 1 . Last rule details => id: 8, name: Test_Date, type: 1, schedule: , Active: 1. Total iptables chains: 15. First template is fw1_mark_mpre. Last template is fw8_mark_mpre.
If the logs have rotated, you won't be able to see when the firewall rule was created; however, you can always check in the data base.
3) Checking in the Data Base: (For this, you would need to know the Firewall Rule ID) Open an SSH connection to the Sophos, go to the Advanced Shell (5 > 3), and type the following:
# psql -U nobody corporate -c "select * from tblfirewallrule where ruleid='8'" -x;
-[ RECORD 1 ]-------+------------------------------
ruleid | 8
sourcezoneid |
destzoneid |
firewallaction | 1
ruletype |
attachidentity | f
snatprofileid | 1
webfilterid |
appfilterid |
idpid |
scheduleid |
logginglevel | 1
bandwidthid |
isenable | 1
nextorderid | -1
description |
name | Test_Date
wcatbasedbwpolicy |
routingpolicy | 0
imscanning | 0
appbasedbwpolicy |
dscpval | -1
wafscanning | 0
isuseractdisable | f
ipfamily | 0
nattype | 1
icapprofileid |
policytype | 1
heartbeat | 0
minpermittedhb | 3
ftp | 0
http | 0
https | 0
smtp | 0
smtps | 0
pop | 0
pops | 0
imap | 0
imaps | 0
isreflexive | 0
datatransfer | 0 B
islive | f
createdat | 2023-01-10 14:39:59.477903-08
Disclaimer, Firmware ,Log Date
[edited by: emmosophos at 12:09 AM (GMT -8) on 22 Nov 2023]