Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

---

Overview

This Recommended Read explains what Invalid Traffic is. Since SFOS v17.0, there’s something called "Invalid Traffic" on XG.

What is Invalid Traffic

The documentation explains this as: 

"Sophos Firewall checks the data packets for conntrack entries. Conntrack entries are generated when connection initializing packets, such as TCP, SYN, or ICMP echo requests, are sent.

If a user sends a packet that doesn't match a current connection, Sophos Firewall logs this as an invalid traffic event.

All firewalls drop multiple TCP RST and TCP FIN packets to prevent attacks. Sophos Firewall drops these packets and records them as invalid traffic events."

Understanding the TCP Handshake and how a Connection works in TCP is important.

There are a couple of explanations available on the internet.

• Ex: https://www.geeksforgeeks.org/tcp-3-way-handshake-process/

What is Conntrack

Conntrack (The Connection tracking daemon on Sophos Firewall) will keep track of all Connections.

• After the Handshake is completed between a client and server, the connection is tracked on the Firewall.
• Any side can "kill" this connection. Most likely, this will be done by sending RST (Reset) or FIN (Finish) packets.
• There are different reasons for a Server/client to send such packets.
  • https://stackoverflow.com/questions/251243/what-causes-a-tcp-ip-reset-rst-flag-to-be-sent
• But such packets will close and delete the connection on XG. That's a normal way to act with such packets.
• However, if one site decides to send multiple packets or respond to such packets, Sophos Firewall will drop them with Invalid Traffic.

This is most likely not an issue at all. If a service isn’t working fine on the server side, the client will kill a session immediately, and such traffic will be displayed as invalid traffic.

There is no issue with the Sophos firewall. It’s an issue with the Client/server.

Clean up process

Another point is such "clean up" processes. 

• Web Server has a process or scheduled task to kill all "abandoned" sessions.
• An abandoned session on a web server is most likely one that has not had any traffic in X hours.
• So, the server will start killing those Sessions and sending multiple RST/FIN packets to the Firewall / Client behind the Firewall.

Sophos Firewall keeps such sessions for 3 hours per default. After 3 hours of idle, this session will be deleted. If the web server sends an RST packet after 5 hours, the Firewall will drop such packets as invalid traffic.

You can increase the Conntrack Timeout value to 24 Hours or turn off such invalid traffic logging.

Personal opinion: I disable Invalid Traffic on all my Sophos Appliances because I do not value such logging.

---

Added Horizontal Lines, Correct Grammar & Spelling and removed XG
[edited by: Erick Jan at 1:45 AM (GMT -7) on 10 Oct 2024]