Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 37 subscribers
  • Views 990 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Rule Not Recognizing Traffic

BrentMagnant

Good evening,

I was wondering if anyone had any thoughts here ...

XG230 HA pair running 18.0.4

Wireless network in a custom zone of type DMZ - called Devices 192.168.124.0/24

Wired LAN network in LAN zone - 192.168.1.0/24

Firewall rules to allow Devices to LAN, any any any and LAN to Devices any any any.

I can ping from 192.168.124.158 (Devices) to 192.168.1.21 (LAN)

I cannot ping from 192.168.1.21 (LAN) to 192.168.124.158 (DEVICES)

The firewall rule from LAN to Devices is at the top of the list and is showing no traffic hits.

For some reason the rule is not recognizing traffic as matching the LAN to Devices rule.

If I change the LAN to Devices rule to ANY to Devices, it still doesn't log any traffic.

This makes me think it doesn't recognize Devices as a legit zone? I would really appreciate any pointer you guys might throw my way!

2021-05-13 18:54:11 0101021 IP 192.168.1.21. > 192.168.124.158. :proto ICMP: echo request seq 2000
0x0000: 4500 003c aa30 0000 7e01 938c c0a8 0115 E..<.0..~.......
0x0010: c0a8 7c9e 0800 4582 000a 07d0 6162 6364 ..|...E.....abcd
0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi
Date=2021-05-13 Time=18:54:11 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=wlnet1 inzone_id=1 outzone_id=0 source_mac=00:18:0a:4f:00:01 dest_mac=00:e0:20:11:0a:34 bridge_name= l3_protocol=IPv4 source_ip=192.168.1.21 dest_ip=192.168.124.158 l4_protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=1370249728 masterid=0 status=256 state=0, flag0=755916341248 flags1=34359738368 pbdid_dir0=0 pbrid_dir1=0



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    BrentMagnant said:
    in_dev=Port1 out_dev=wlnet1 inzone_id=1 outzone_id=0 source_mac=00:18:0a:4f:00:01 dest_mac=00:e0:20:11:0a:34 bridge_name= l3_protocol=IPv4 source_ip=192.168.1.21 dest_ip=192.168.124.158 l4_protocol=ICMP

    As per the drop packet capture, we could see that the ICMP packet came in from Port1 and intended to be sent out from wlnet1.

    Are you able to ping 192.168.124.158 directly from Sophos Firewall(Diagnostics > Tools > Ping)?

    Request to share output of below command from CLI:

    ==> Login to SSH > Device Console

    console> system diagnostics utilities netconf route get 192.168.124.158

    ==> Login to SSH > 5. Device Management > 3. Advanced Shell

    # ifconfig wlnet1

    It would be great if you can share a snapshot of interface configuration and firewall rules(LAN==Devices & Devices==LAN).

  • 0 in reply to FormerMember

    Thanks for the ideas... I appreciate the time.

    I was able to schedule an HA failover with the client. I rebooted the active FW and let the passive device take over. As soon as it did, everything started working. So I don't think it was a config issue.  

    The LAN to Device rule started logging traffic as soon as the HA failed over with no changes on my part.

Reply
  • 0 in reply to FormerMember

    Thanks for the ideas... I appreciate the time.

    I was able to schedule an HA failover with the client. I rebooted the active FW and let the passive device take over. As soon as it did, everything started working. So I don't think it was a config issue.  

    The LAN to Device rule started logging traffic as soon as the HA failed over with no changes on my part.

Children
No Data
Unfiltered HTML