This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Network firewall rule ignored

Hi All,

We have a network firewall rule setup to allow traffic to a WAN destination.

However we can see in the logs that the traffic is getting blocked by the web filter component.

We have a user network rule further down the list that allows access to the internet after authentication. Its look like Sophos FW is matching the user rule first, because when I authenticate the traffic is allowed.

When we run the policy check tool on the same rule the results are as we expect and the traffic is allowed.

What's even stranger is when we restore the config backup from the customer firewall to our own test lab we issue is fixed and the firewall performs as expected!

Firmware is SFOS 19.5.2 MR-2 Build 624

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 1 year ago in reply to Gary McDonald +1

It will match the FW3 as shown in the log. Seems like your FW1 is not matching at all. Please control the FW Rule, as it should match if the filters are correct. If you are using DNS Hosts in your…

0 LuCar Toni over 1 year ago

Can you show a mouse over of this drop?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Gary McDonald over 1 year ago in reply to LuCar Toni

Hi, thanks for the reply, which drop are you referring too?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to Gary McDonald

Your drop in the logviewer above.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Gary McDonald over 1 year ago in reply to LuCar Toni

Sorry, I'm not sure what you mean by "drop"
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to Gary McDonald

You have a block / drop in your webfilter log.

Show this block in full detail with a mouse over.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Gary McDonald over 1 year ago in reply to LuCar Toni

Thanks, please see below.
Cancel
Vote Up 0 Vote Down

Cancel
0 Gary McDonald over 1 year ago in reply to Gary McDonald

As suspected this traffic log is being matched by rule ID 3 which is the lower user authenticated rule.

Network rule that is higher in the list should allow this traffic to pass (as shown in the policy check tool also)

Rule blocking the traffic
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago in reply to Gary McDonald

It will match the FW3 as shown in the log.

Seems like your FW1 is not matching at all. Please control the FW Rule, as it should match if the filters are correct.

If you are using DNS Hosts in your firewall rule, check that the DNS is resolved correctly by checking the DNS object in the Webadmin under Hosts and services.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel
0 Gary McDonald over 1 year ago in reply to LuCar Toni

Hi, I have checked the rule ID1 details and the traffic should match the rule (as proven by the sophos policy test tool), This smells like a bug in the SFOS
Cancel
Vote Up 0 Vote Down

Cancel
0 Gary McDonald over 1 year ago in reply to Gary McDonald

I've done some more testing and the issue seems to be related to the inbuilt Sophos proxy server. If I disable the client PC from accessing the internet via the Sophos firewall proxy the traffic is correctly matched to rule ID1
Cancel
Vote Up 0 Vote Down

Cancel