Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Hi all,
If you are experiencing an application or a certain connection not working and seeing "Invalid Traffic" within the firewall Log Viewer, it could be related to an issue with the firewall. Here are some steps to troubleshoot this issue.
First of all, Invalid Traffic does not mean the firewall is closing the connection. See: https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogViewer/InvalidTrafficEvents/index.html
Invalid Traffic could just be an application closing the connection for any number of reasons. For example, the user is typing in wrong credentials into the application. This can result in a closed connection. There are certain applications "Bursting" to close the connection. Those bursts are likely logged in the firewall as "Invalid traffic."
You should check the firewall for the matching firewall rule and NAT rule. The first step is to go to the Log Viewer and check for a green connection based on the firewall. If the firewall allows the connection, it’s doing the correct job.
The next step is to move to "Detailed View":
The Detailed View will list all the different modules involved in one view. It is helpful to look for the entire connection to find out which modules are active.
Here we see the Firewall allowing the traffic, the DPI engine is not decrypting, and the web filter is allowing the traffic. If there were an IPS alert that's dropping the connection, it would be listed here. If there’s an ATP/IPS Alert, you have to decide if it’s a false positive and configure an Exception or take action based on your research.
If the connection is green on all levels and is still not working, you can try the following settings to see if it helps:
1. Try to bypass the ATP for this specific firewall rule: https://support.sophos.com/support/s/article/KB-000038900?language=en_US
2. Try to disable the entire DPI engine under Protect > Rules and policies > SSL/TLS inspection rules > SSL/TLS Inspection Settings > Advance Settings
3. Try to disable the Fastpath Engine: From the Console (Option 4 in CLI), type: system firewall-acceleration disable
If you see an issue with a certain application and other tools like ping, dnslookup, etc. are working fine, you can look at the packet capture: https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Diagnostics/PacketCapture/index.html#captured-packet
Packet Capture is a valuable tool in the WebAdmin to see if the connection on a TCP/UDP level is working.
Edited doc guide links to latest (19.5), screenshot and configuration location on step#2
[edited by: Raphael Alganes at 3:14 AM (GMT -7) on 25 Sep 2023]