This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 18.0.3 MR-3 - reject or drop rules stopped working

lukg over 3 years ago

After upgrading to SFOS 18.0.3 MR-3 our reject or drop rules stopped working for blocking WAN traffic.

I have the following top rule to test which is not working anymore :

Source zone: Any

Source networks and device: WAN_TEST - has my test external IP address

Destination zone: WAN, DMZ2

Destination networks:webdisk_public, DMZ2_webdisk - has the destination IP address

Action: Reject

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 3 years ago in reply to lukg +2 suggested

That is likely related to this: https://community.sophos.com/xg-firewall/f/discussions/122091/firewall-policy-drop-shows-block-page-on-http-connections/451510#451510 Sophos is working on a Fix for this…

Parents

0 LuCar Toni over 3 years ago

Sounds like the traffic is not matching this WAN IP anymore.

If you look at the packet capture, can you see this traffic going out?

Another question, why should this rule match in the first place? XG is aware of the origin of the traffic. Hence you can also block it from the traffic origin and not on the WAN Port.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 lukg over 3 years ago in reply to LuCar Toni

I had a Sophos support engineer on the line for 1h and this issue has been escalated now as he confirmed reject/drop rules are not working on my appliance.

If you have migrated to 18.0.3 MR-3 check if your reject/drop rules are still working - just as a precaution.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to lukg

Can you show us the logviewer and the firewall Rule as a screenshot?

Because i have a guess, thats only 443/80 traffic(web)?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 lukg over 3 years ago in reply to LuCar Toni

In this test yes it is 80/443 traffic, drop rule is ignored and I can see that traffic goes to the web publishing to a web server rule.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to lukg

That is likely related to this: https://community.sophos.com/xg-firewall/f/discussions/122091/firewall-policy-drop-shows-block-page-on-http-connections/451510#451510

Sophos is working on a Fix for this behavior. Until this, you can simply remove the WAN zone from Source, this should resolve this.

The traffic is not "allowed" in total. The traffic is allowed by firewall and blocked by proxy.

__________________________________________________________________________________________________________________
Cancel
Vote Up +2 Vote Down

Cancel
0 lukg over 3 years ago in reply to LuCar Toni

A rule with source zone Any, destination zone Any, service HTTPS is not working as well.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lukg over 3 years ago in reply to LuCar Toni

A rule with source zone Any, destination zone Any, service HTTPS is not working as well.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 LuCar Toni over 3 years ago in reply to lukg

The reject/drop rule is forwarding HTTP/s to the proxy module. Which is dropping the traffic. ANY - ANY will have the same issue.

The traffic is dropped (blocked by the proxy) but logviewer shows you the allow, as the firewall allows the traffic to the proxy.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel
0 lukg over 3 years ago in reply to LuCar Toni

The traffic is not dropped, I will have an escalation engineer looking into it hopefully today, I will post the outcome
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to lukg

How did you confirm, this is the case?

Can you post conntrack, tcpdump and logviewer screenshots?

Likely the traffic is dropped but shows a blockpage.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 lukg over 3 years ago in reply to LuCar Toni

It has been confirmed by Sophos engineer that this is not working in our appliance so this is why they have escalated this to the next level. No contact from escalation engineer has been made as of yet.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to lukg

Just wanted to understand, what is happening, as i still think, this is a known behavior and in fact is not allowed.

But if you do not want to investigate further i cannot help.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel