In the firewall log, "rule" and "ID" don't match the actual firewall rule

Question

SFOS 19.5.1 MR-1-Build278 
 I was checking the logs when I noticed this strange peculiarity, in the log, the "firewall rule" is actually the firewall ID #. 
 The log is showing that the firewall rule with the name "Allow outbound" is firewall rule 1, but is actually firewall rule #2. 
 Firewall rule #1 I have at the very top is to prevent SSH/FTP/TELNET under any circumstances, even outgoing. So I'd like to be sure that this rule is actually at the very top, but the way the log is wording the rule # and ID is leaving me perplexed as to whether I configured something wrong. NAT rule 1 is disabled, and NAT rule #2 is the default SNAT rule. 
 So, is the firewall rule in the log actually referencing the #ID, or the firewall RULE on the left hand side?

emmosophos · Answer

Hello there, 
 Thank you for contactin the Sophos Community. 
 It refers to the ID, in your case ID #1, so the allowed traffic is hitting the Allow Outbound rule with ID #1 
 Regards,

LuCar Toni · Answer

Essentially one is the internal ID (creation ID). The other one is the Rule number (position) to find it. 
 The internal ID never changes, so if you block a packet or something in the last month, and you moved the rule, you still have the same ID across the board. 
 The part about ID is valid, but the name is per default beside it. So you will always have the double check of "does the name match with the ID i assume is hitting?"

In the firewall log, "rule" and "ID" don't match the actual firewall rule

Top Replies