Traffic allowed although rule specifies "drop" - or log entry is incorrect / misleading ?

Question

Hello from Germany, 
 
 I am trying to wrap my brain aroud the following situation:

I have a rule that allows access to an NTP server to anybody (# 61, rule says ACCEPT, see below) 
 I have IP Cameras which should not be allowed to reach outside of the LAN (# 62, rule says DROP, see below) 
 I have placde the IP-Camera rule below the TIMESERVICES rule 
 I expect everything to be dropped now (except NTP of course)., but looking at the log for rule # 62 I see

Rule #62 allows traffice on TCP 80 and TCP 443. 
 
 Now, the "out interface " shows up empty - of course this is not covered by rule # 62. What is really happening, or better, what is not happening (like traffic going to China) 
 
 With beste regards 
 
 Volker

IP Host entry for bspc0030:

IP Host group used in IP-Camera rule

IP-Camera rule

Rules in LAN-TO-WAN group

emmosophos · Accepted Answer

Hello Volker, 
 Thank you for the information. 
 As mentioned by Luca, this is currently expected, but I do agree that is misleading. 
 Searching internally I found a case similar to yours, they&rsquo;re still currently looking into it, and seeing what changes would need to be done in the architecture of the SFOS to fix this. 
 Regards,

LuCar Toni · Answer

Thought this behavior was fixed with NC-64820 but looks like it only covers inbound traffic. See: https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=18.0 
 Awarrenhttp proxy blocks inbound connections on port 443. 
 What this generally speaking means: If you configure a block role on SFOS, you see the yellow indication of Proxy. This means, the traffic for HTTP/S is dropped by the proxy instead of firewall. The Proxy will drop it stateless and gives a block page to the user. 
 This was the case for inbound traffic, therefore it was fixed for inbound. But outbound seems to be still the case. I assume because of user interaction (Blocking is more radical then to deny the traffic in proxy, because of user interaction in browser). 
 Check the web proxy log.

LuCar Toni · Answer

Thats the expected behavior. You see the proxy is intercepting this traffic by the port redirect to 3128. This is to give the user a block page in the end of the connection instead of just block the traffic. 
 From a user perspective, he will get a block page, not only a connection refused in browser.

Traffic allowed although rule specifies "drop" - or log entry is incorrect / misleading ?

Top Replies