Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
This article explains different packets dropped by Sophos Firewall and help beginners to find out the cause of packet drop.
Packets dropped by the following security features are displayed in Log Viewer.
Note: Log Viewer keeps a limited number of records. It’s recommended to check the Log Viewer from time to time before the record gets rotated.
To view packets dropped by the firewall, go to Sophos Firewall web admin> Log Viewer, and then choose logs of the Firewall in the drop-down menu.
To make the Firewall page easy to read, I recommended resetting the columns.Click the "Add/remove columns" button, and then click "Reset to default"
To Filter the dropped packet, click "Add filter", and set "Log subtype, is not and Allowed". See screenshot below for reference.
Kindly note, that dropped packets marked with Invalid Traffic, Denied, firewall rule N/A isn’t a problem in most cases, no need to worry about them.
There are several types of Invalid Traffic.
Sophos Firewall web admin> Log Viewer > Web filter shows packets dropped by Web filter.
To show dropped packets only by clicking on "Add filter", please set "Log subtype is not Allowed"
Here is the example that internal computer 192.168.20.7 cannot access website http://line.me, category of the website is "Online chat", and related firewall rule ID is 5.
Go to Sophos Firewall web admin> Rules and policies, and check the details of the firewall rule ID 5. Web policy "No Online Chat" is applied.
Therefore, Sophos Firewall denied the web access as configured.
Sophos Firewall web admin> Log Viewer > Application filter shows packets dropped by the Application filter.
Here, we see that a user is denied access to the destination and the traffic is identified as “Aloha Browser”, and the related firewall rule is ID 5.
Firewall rule ID 5 has application control turned on to block risk level 4 and 5 apps. Therefore, Sophos Firewall denies the user access as configured.
Sophos Firewall web admin> Log Viewer > IPS shows packets dropped by Intrusion Prevention.
Here is the example that internal computer 192.168.15.15 can't download a file from 65.8.33.12, as the traffic was identified as EICAR. The related firewall rule is ID 5.
Firewall rule ID 5 has IPS enabled.Therefore, Sophos Firewall dropped the traffic as configured.
Sophos Firewall web admin > Log Viewer > Advanced threat protection shows packets dropped by Advanced threat protection.
Here is the example that internal computer 192.168.20.7 can't query DNS server 192.168.20.250 for a hostname, as Sophos Firewall detected the hostname is malicious and dropped the DNS query.
Go to Sophos Firewall web admin> Advanced Protection, we can see Advanced threat protection is enabled, and Policy is set to "Log and drop".Therefore, Sophos Firewall dropped the packet as configured.
Sometimes, SSL/TLS inspection might fail to decrypt a session and cause an error.
To view records of SSL/TLS inspection, go to Sophos Firewall web admin > Log Viewer, and then choose logs of SSL/TLS inspection.
Create a filter and set "Action is Error", to show errors.
In the example, internal computer cannot visit browser.events.data.msn.com, due to "TLS engine error: FLOW_TIMEOUT"
The error causes web access failure. We can configure Sophos Firewall to skip the website from SSL/TLS decrypt.
For traffic destined for servers protected by web server protection, Sophos Firewall might drop a packet if it’s identified as an attack.
To view packets dropped by web server protection, go to Sophos Firewall web admin > Log Viewer, and then choose logs of web server protection
In the example, source computer 10.176.205.52 isn’t allowed to access the web server due to "WAF Anomaly", and the firewall rule for WAF is ID 3.
Firewall rule ID 3 has web server protection policy enabled,
Check details of the protection policy, we can see the Mode is set to Reject, and the Common threat filter is enabled.
Therefore, Sophos Firewall dropped the web server access as configured.
In this example, PC and HTTP Server are connected by a Sophos Firewall.
However, the PC can't access HTTP service hosted on the server
Log Viewer > Firewall shows packet from the Server to the PC got dropped by Sophos Firewall with the reason "Could not associate packet to any connection"
To verify if the dropped packet is a problem or not, we need to capture packets.
In Sophos Firewall web admin, go to Diagnostics > Packet capture, and click Configure to add a packet filter.
We want to capture packets between the PC and the HTTP server, so we’ll enter the packet filter string “host 192.168.20.25 and port 80”.
Save the filter and turn on Packet capture.
Note:
To reproduce the issue by attempting to access the HTTP server from the PC again, and then Refresh the page to view captured packets.
We can see Sophos Firewall received the reply packet from Server to PC, but no packets from PC to Server.That indicates the problem of asymmetric routing in the network.
The solution is to fix asymmetric routing in the network. Once it’s fixed, the PC can visit the HTTP Server.
In the example, the internal computer behind Sophos Firewall has a problem visiting youtube.com, where the video preview isn’t loaded.
To troubleshoot the issue,
Therefore, it is a mis-configured firewall rule.
Solution is to disable the firewall rule, and then the YouTube website can be loaded without any problem.
In the example, LAN PC 192.168.20.19 cannot access FTP server on Internet.
We need to capture packets in Sophos Firewall webadmin to find out if Sophos Firewall forwards traffic between the LAN PC and the FTP server.
In packet capture, we need to provide an IP address, not hostname, so the first step is to query the IP address of the FTP server in nslookup command on the LAN PC.
The output of nslookup shows the FTP server has 2 IP addresses
To capture packets on both IP addresses, the packet capture filter is "host 10.176.200.51 or host 10.176.200.52".
In Sophos Firewall web admin> Diagnostics > Packet capture, toggle off packet capture, set the packet capture filter to "host 10.176.200.51 or host 10.176.200.52", and then toggle to turn on the packet capture.
To reproduce the issue on LAN PC, toggle OFF packet capture immediately.
We can see the FTP traffic from LAN PC to the external FTP server is controlled by firewall rule ID 5.
Check details of the firewall rule ID 5, and found application control policy Block high risk Risk level 4 and 5 apps were enabled.
The next step is to check if the FTP session is dropped by application control.
Go to Log Viewer > Application filter, it shows the FTP traffic is dropped, and application is "FTP Base".
Therefore, Sophos Firewall dropped the FTP connection as configured.
To work it around, we can disable application control in firewall rule ID 5.
Note: Another workaround is to create a new firewall rule for the FTP traffic without application control.
In the example, remote access SSL VPN users can't download large files from the internal web server.
Users can log in SSL VPN and ping internal resources without problem.
Noticed remote access SSL VPN has been configured to work on UDP.
To troubleshooting the issue,
That indicates UDP traffic of SSL VPN got dropped by Sophos Firewall due to DoS protection.
The workaround is to increase the default limit of UDP flood.I also increased the default limit of TCP flood, as traffic from/to web server is on TCP.
Now, the remote access SSL VPN user can download files from the internal web server without any problem.
Sometimes, we might experience the problem of ping failure.
In the example, PC 192.168.20.7 behind Sophos Firewall LAN Port1 can't ping another PC 192.168.15.15 behind Sophos Firewall LAN Port3.
To troubleshoot the issue, capture the packet to see if Sophos Firewall receives and forwards the ping packets.
Go to Sophos Firewall webadmin > Diagnostic > Packet capture, and enter "host 192.168.15.15 and ICMP" as the filter string, to capture the ping packet sent from/to 192.168.15.15
Reproduced the issue by ping, and then refresh the Packet capture page.
We can see Sophos Firewall received the ping packet sent by 192.168.2.0.7 on LAN Port1, but it didn't forward the ping packet to the destination with Status "Violation" and Reason "Firewall", which indicates no firewall rule allows the traffic.
Therefore, the solution is to create a firewall rule to allow the traffic.
Once the firewall rule for the traffic is created, 192.168.20.7 can ping 192.168.15.15.
Go back to Sophos Firewall web admin> Diagnostic > Packet capture, to capture packets again.
We can see
It’s possible that network access failure can be caused by routing issues, and packet capture can help us to identify that.
In the example, LAN PC 192.168.20.19 can't access PC 192.168.25.16 in a remote IPsec VPN network.
Let's check if Sophos Firewall receives the ping packet from LAN PC, and forwards it out into IPsec VPN tunnel.
Go to Sophos Firewall > Diagnostics > Packet capture, set the packet filter string to be "host 192.168.25.16 and ICMP", and toggle ON packet capture.
Reproduced the issue by ping from the LAN PC again,
Packet capture shows Sophos Firewall forwarded the ping packet out on Port5.
Port5 is the WAN interface on Sophos Firewall. Sophos Firewall should forward the ping packet out on IPsec VPN virtual interface, not the WAN Port5.
This is a routing issue. We need to check the routing configuration on the Sophos Firewall.
Go to Sophos Firewall webadmin > Routing > SD WAN routes, and find the SD-WAN route:
Therefore, the cause of the problem is Sophos Firewall forwards all traffic out on Port5, due to the SD-WAN routes.
The workaround is to make the SD-WAN applies to traffic only destined for internet.Edit the Destination networks, and set it to "internet IPv4".
Now, the LAN PC can ping the PC in the remote IPsec VPN network.
If we capture the packet again, we can see Sophos Firewall forwarded the ping packet out on XFRM, which is the virtual interface of route-based IPsec VPN.
Note
If a problem can't be identified by the steps above, please try to disable the following to find out which feature causes the problem:
Very informative. Thank you!