v18 drop connection logging

Hi BLS,

It is possible to control dropped traffic logging. Please navigate to Configure > System Services > Log Settings. You should be able to control different log type that are being dropped by default drop rule "0". 

Thanks,

Already have everything ticked, and the logging isn’t capturing everything.

For example if I try to talk to an external IP on a port not allowed it doesn’t get logged, create a duplicate of rule 0 and tick log firewall and it logs these connections...

This is what's ticked.

So here goes - using the utility tcpping.exe - if I ping the modem which is the WAN side of the firewall on port 999, which isn't allowed through the firewall, and with rule #11 in place (as per this screenshot).

Then this is the result....

Remove the rule number #11 and repeat and nothing is logged for port 999 to say it's been dropped...despite trying the ping and getting that it's been dropped (no response) back...

But then run tcpping.exe on a known port that's allowed through, such as port 25, then this is the result.

Just would be nice if rule #0 would be able to log all dropped traffic, or at least have that option to enable it if so desired.

I have similar experience, limited logging with default drop rule. Whats even more confusing is that when you put a deny all rule, it will be associated with a regular NAT rule. Why is the traffic being natted when dropped. Didn't give feedback to sophos during beta due to heavy handed moderators that completely turned me off.

The answer seems to be to add an additional drop rule at the bottom, and set that for logging - not had anything requiring association with a NAT rule though, I don't even get the option to create a linked NAT rule, or even see a NAT rule with a drop all FW rule being set.

Sophos XG is IMO a very good product, and has come a long way since the early days, there's just a few little "features" that need to be added in order to make it an awesome product, but Sophos is getting there...

That is the current implementation.

The Default Drop on the bottom is a simple "ShowRule". It shows, that there is a default drop vs V17.5 with a missing default drop rule in the framework.

Unfortunately you cannot edit this rule right now. 

Therefore you cannot activate Logging.

Without Logging, Logviewer will not log dropped sessions, because Default Drop.

See: https://community.sophos.com/products/xg-firewall/f/recommended-reads/118125/sophos-xg-firewall-v17-5-how-to-log-all-dropped-traffic-without-interrupting-other-services

Any idea when/if this type of logging will be allowed in the future?

Yes, there are plans to expand the default drop to avoid the "duplicate" firewall rule. 

Hello LuCar Toni,

as in many other cases, in this case too, Sophos goes his own absolutely illogical way. While all UTM solution vendor have the latest default drop rule that (logically) logs all dropped traffic, Sophos must have a special exception!
I think that this feature will be implemented in which version v25 or v25.5? Sarcasm ....

Regards

alda

Hello LuCar Toni,

as in many other cases, in this case too, Sophos goes his own absolutely illogical way. While all UTM solution vendor have the latest default drop rule that (logically) logs all dropped traffic, Sophos must have a special exception!
I think that this feature will be implemented in which version v25 or v25.5? Sarcasm ....

Regards

alda