Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 6919 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why does the log viewer and the policy test show different firewall ID's for the same URL? [SFOS 17.1.1 MR-1]

Jim Garrigan

As per the example below:

Log viewer -- fw_rule_id="4"

 

 

Log viewer -- IPv4 Bypass (ID: 5)

 

2018-08-12 19:01:59Web Filtermessageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="4" user="" user_group="" web_policy_id="13" web_policy="" category="Web E-Mail" category_type="Unproductive" url="outlook.office365.com/.../ content_type="application/octet-stream" override_token="" response_code="" src_ip="10.116.112.78" dst_ip="52.96.9.178" protocol="TCP" src_port="55724" dst_port="443" bytes_sent="1079" bytes_received="1282" domain="outlook.office365.com" exception="" activity_name="" reason="not eligible" user_agent="Microsoft Office/15.0 (Windows NT 10.0; Microsoft Outlook 15.0.5049; Pro)" status_code="200" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="972712800" app_name="Office 365" app_is_cloud="1"

 

policy test

 

Connection
Test Time
19:03:09 Sunday
Destination
Destination IP
40.97.190.2, port 443, TCP
Source IP
10.116.112.78
Source Zone
Auto-Detection
User
User Unauthenticated
Result
Accepted
Firewall Rule
IPv4 Bypass (ID: 5)


This thread was automatically locked due to age.
  • 0

    Hi Jim,

    I verified this at my end and the test was positive. SSH to the XG firewall and execute the following command in Advance Shell, let us know if that works:

    conntrack -D -s 10.116.112.78 (IP address of a source system)

    This command will flush the conntrack table for the source IP.

    Thanks,

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I executed the command, but the status has not changed.  Log Viewer fw_rule_id="4   ---   Policy Test IPv4 Bypass (ID: 5)

     

    Log viewer

    2018-08-13 19:50:12Web Filtermessageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="4" user="" user_group="" web_policy_id="13" web_policy="" category="Web E-Mail" category_type="Unproductive" url="outlook.office365.com/.../ content_type="application/octet-stream" override_token="" response_code="" src_ip="10.116.112.78" dst_ip="40.97.24.2" protocol="TCP" src_port="51398" dst_port="443" bytes_sent="3170" bytes_received="1075" domain="outlook.office365.com" exception="" activity_name="" reason="not eligible" user_agent="Microsoft Office/15.0 (Windows NT 10.0; Microsoft Outlook 15.0.5049; Pro)" status_code="200" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1981418336" app_name="Office 365" app_is_cloud="1"

     

    Policy Test

    Connection
    Test Time
    19:48:53 Monday
    Destination
    outlook.office365.com/.../ content_type="application/octet-stream" override_token
    Destination IP
    40.97.188.226, port 443, TCP
    Source IP
    10.116.112.78
    Source Zone
    Auto-Detection
    User
    User Unauthenticated
    Result
    Accepted
    Firewall Rule
    IPv4 Bypass (ID: 5)
    Connection
    Test Time
    19:48:53 Monday
    Destination
    outlook.office365.com/.../ content_type="application/octet-stream" override_token
    Destination IP
    40.97.188.226, port 443, TCP
    Source IP
    10.116.112.78
    Source Zone
    Auto-Detection
    User
    User Unauthenticated
    Result
    Accepted
    Firewall Rule
    IPv4 Bypass (ID: 5)
  • 0 in reply to Jim Garrigan

    Hi Jim,

    PM me remote support access code, to verify the settings, be assured that we will not make any changes to the appliance.

    Thanks,

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    I had the same problem.

    Logs in XG behave like this.  Only logs in command line are reliable.

    Nothing you can do.  Do you have a clean up rule ?  Just asking ...

    Improved logs were scheduled for the end of 2018.

    Paul Jr

  • 0 in reply to sachingurung

    I am in New York City (UTC - 4).  During week days I am available from 19:30 - 21:00 local time.

  • 0 in reply to Jim Garrigan

    I mean to send me a Private Message me. To get support in the American hours, I will handover this thread to one of my available engineer available in that time zone. 

    Thanks,

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Unfiltered HTML