Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

In the firewall log, "rule" and "ID" don't match the actual firewall rule

alan weir

SFOS 19.5.1 MR-1-Build278

I was checking the logs when I noticed this strange peculiarity, in the log, the "firewall rule" is actually the firewall ID #.

The log is showing that the firewall rule with the name "Allow outbound" is firewall rule 1, but is actually firewall rule #2.

Firewall rule #1 I have at the very top is to prevent SSH/FTP/TELNET under any circumstances, even outgoing. So I'd like to be sure that this rule is actually at the very top, but the way the log is wording the rule # and ID is leaving me perplexed as to whether I configured something wrong. NAT rule 1 is disabled, and NAT rule #2 is the default SNAT rule.

So, is the firewall rule in the log actually referencing the #ID, or the firewall RULE on the left hand side? 



This thread was automatically locked due to age.
  • 0

    Hello there,

    Thank you for contactin the Sophos Community.

    It refers to the ID, in your case  ID #1, so the allowed traffic is hitting the Allow Outbound rule with ID #1

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    • 0 in reply to emmosophos

      thanks for the clarification. Another forum user stated that the rule ID # is actually just the order in which the rules were created. So firewall rule #1 was the 4th rule created? It just seems that the log is a bit confusing since the actual firewall rule that was fired was rule #2 since they are fired in order from top to bottom and maybe the log should say "Firewall ID" instead of "Firewall rule".

      • 0 in reply to alan weir

        Essentially one is the internal ID (creation ID). The other one is the Rule number (position) to find it. 

        The internal ID never changes, so if you block a packet or something in the last month, and you moved the rule, you still have the same ID across the board. 

        The part about ID is valid, but the name is per default beside it. So you will always have the double check of "does the name match with the ID i assume is hitting?"

        __________________________________________________________________________________________________________________

        • 0 in reply to LuCar Toni

          Agreed. It would be crazy if the rule was logged based on its position in the list, which can change. The ID is going to be the order in which they were created in order to keep rule numbers unique, of course.

      Unfiltered HTML