Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 0 replies
  • Subscribers 28 subscribers
  • Views 5136 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: When a Firewall Rule was created

emmosophos

DisclaimerThis information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This recommended read describes determining the date a Firewall Rule was created.

We created Firewall Rule #8 in our scenario with the name Test_Date.

1. Log Viewer

If you filter by Admin, you can filter by using the word "Firewall Rule" in the search box or by the name of the Firewall Rule.

2. Logs

Checking in the Logs. Open an SSH connection to the Sophos, go to the Advanced Shell (5 > 3), change your directory to log (cd /log), and filter the firewall_rule log using the following command: 

#grep "Test_Date" firewall_rule.log 

XG125_XN03_SFOS 19.5.3 MR-3-Build652# grep "Test_Date" firewall_rule.log
2023-10-10 14:40:05: Firewall - Event: ADD for rule Test_Date. Firewall has 15 rules configured.
2020-10-10 14:40:15: Firewall - Event: MOVE. Firewall has 15 rules configured. First rule details => id: 1, name: Wifi_to_WAN, type: 2, schedule: , Active: 1 . Last rule details => id: 8, name: Test_Date, type: 1, schedule: , Active: 1. Total iptables chains: 15. First template is fw1_mark_mpre. Last template is fw8_mark_mpre.
2020-10-10 14:40:15: Firewall - Event: MOVE. Firewall has 15 rules configured. First rule details => id: 1, name: Wifi_to_WAN, type: 2, schedule: , Active: 1 . Last rule details => id: 8, name: Test_Date, type: 1, schedule: , Active: 1. Total iptables chains: 15. First template is fw1_mark_mpre. Last template is fw8_mark_mpre.
2020-10-10 14:40:16: Firewall - Event: ADD for rule Test_Date. Firewall has 15 rules configured. First rule details => id: 1, name: Wifi_to_WAN, type: 2, schedule: , Active: 1 . Last rule details => id: 8, name: Test_Date, type: 1, schedule: , Active: 1. Total iptables chains: 15. First template is fw1_mark_mpre. Last template is fw8_mark_mpre.

If the logs have rotated, you won't be able to see when the firewall rule was created; however, you can always check in the database.

3. Database

Checking in the Data Base: (For this, you would need to know the Firewall Rule ID)  Open an SSH connection to the Sophos, go to the Advanced Shell (5 > 3), and type the following:

# psql -U nobody corporate -c "select * from tblfirewallrule where ruleid='8'" -x;

-[ RECORD 1 ]-------+------------------------------
ruleid | 8
sourcezoneid |
destzoneid |
firewallaction | 1
ruletype |
attachidentity | f
snatprofileid | 1
webfilterid |
appfilterid |
idpid |
scheduleid |
logginglevel | 1
bandwidthid |
isenable | 1
nextorderid | -1
description |
name | Test_Date
wcatbasedbwpolicy |
routingpolicy | 0
imscanning | 0
appbasedbwpolicy |
dscpval | -1
wafscanning | 0
isuseractdisable | f
ipfamily | 0
nattype | 1
icapprofileid |
policytype | 1
heartbeat | 0
minpermittedhb | 3
ftp | 0
http | 0
https | 0
smtp | 0
smtps | 0
pop | 0
pops | 0
imap | 0
imaps | 0
isreflexive | 0
datatransfer | 0 B
islive | f
createdat | 2023-01-10 14:39:59.477903-08



Revamped RR
[edited by: Erick Jan at 10:19 AM (GMT -7) on 18 Sep 2024]
Unfiltered HTML