Firewall rules not working as expected

Firewall will be applied very soon in the connection table. This means, if you have 0 Bytes, the Client uses another firewall rule.

Check the packet capture within the GUI to check, which Rule will be applied. 

Firewall will be applied very soon in the connection table. This means, if you have 0 Bytes, the Client uses another firewall rule.

Check the packet capture within the GUI to check, which Rule will be applied. 

Ok perhaps Im really missing something obvious here.

Im seeing tons of denies for the vlan 20 network as mentioned above. Ran PCAP

I see this

So there's no Rule ID or NAT ID or reason.

I know the vlan is working, devices are getting DHCP and somehow they are browsing the internet absolutely fine yet I cannot find a single entry for any devices on 192.168.100 with a pass, everything is being denied.

is the XGS directly connected to the WAN router or is there some upstream firewall or router in between. Maybe the route back to the XGS is missing on such a device because we see only outgoing, packets, nothing in. But this can also be a matter of your packet capture filter.

please make sure you have that like:

Is that 192.168.100.0 a new subnet in your infrastructure and some guys forgot to create it on all devices?

Yes, at some point it sounds like packets are taking two different routes, There was a recent article about this happening I think with SD-WAN or something but this particular use case sounds simpler and hence I was trying to ask questions (below) about perhaps there are wrong ports on the XGS being specified for some routing and even though it's a single box it might be confusing the session tracking. (Or, as you say, it could be two different routes or some device upstream.)

Is this QUIC? UDP port 443 looks like Google QUIC and you can block this in a firewall rule. 

BTW: 

Go to your firewall rule. Try to edit all your affected host objects and hit save. Does it work or do you see Errors /loadings in the Webadmin? 

I mean doing this: 

+

Its connected direct to a WAN router (which is in pass through mode), no upstream firewall or router doing any routing, just the XGS handling everything

Just wonder how QUIC would affect this and cause 0B traffic both way?

The 2nd one, I can save fine.

Just wondering: Your Object are actually matching? 

Can you share screenshots of the used Source Objects? 

there is UDP 443 traffic in that screenshot but also TCP 443. so it is not only a QUIC issue.

what does your firewall do when it tracerts to WAN IPs?

does it work?

is the XGS picking up pattern updates?

Maybe other modules block your traffic? Known for this behaviour would be Application filter. Just toggle to the advanced view.

I think im simply going mad here. Your suggestion of switching to advanced view, I could see the traffic from Vlan 20 being allowed, in simple view all I saw was denies - Way to go Sophos with that one.

Anyway, that at least explained how traffic on vlan20 was getting out to the internet at least.

However, it didnt explain in the firewall page why the rule showed 0B in and out, so to be honest I had enough of it and logged off.

Its been about 7 days and I've just gone back onto the firewall to have a fresh take on it and now its showing traffic, i.e. that rule, which I havent touched, shows 55Gb and 4.4gb. No one else has access to the firewall, the rule hasnt been changed, not moved or anything.

So my solution is, crack a beer open and watch Netflix because I cant blo*dy explain that.

Looking into the Packet Capture for Port443. Does your firewall rule match? 

Because somehow i have the feeling, your client is not using the firewall at all.