Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 8 subscribers
  • Views 1316 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Identify which Packet filter (firewall) rule was used to allow or block?

Jay Jay

Short of enabling logging for all firewall rules, is there some way of seeing which rule allowed or blocked certain traffic? Something in console/command line?



This thread was automatically locked due to age.
  • 0

    Not that I know of, Jay.  What motivates this question?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    My network topology is;

    ONT (wan) -- UTM -- Vlans

    The ONT is hardcoded to a 192.168.1.254 ip. UTM has an additional address defined for the wan interface (in addition to dhcp).

    I set this up 3 years ago so I could access the ONT from one of the vlan interfaces. Was trying to remember if I did it as a DNAT rule or just a firewall rule.  Turns out it's the latter.  BUT, I couldn't find an explicit rule that allowed such access. It wasn't the web proxy either as disabling that still allowed access.  There's about 60 active firewall rules in place. One of them is responsible for allowing this traffic.

  • 0 in reply to Jay Jay

    Since you have identified the specific IP address you want to monitor, have you tried open the FW live log and filter that specific IP address? 

    Good Luck

  • 0 in reply to PatrickLee

    There in lies the rub. How is the log going to show anything when most of the rules have logging turned off. Logging is enabled for a handful of very specific rules.  Otherwise log files would grow insanely large.

  • 0 in reply to Jay Jay

    I'm not sure why I'm being attacked for making a friendly suggestion. But anyway.

    Good Luck

  • 0

    Could you try a Policy Test (available as the other tab when you View Logs)? It's mainly to test web policies, hence the name, but does give information on firewall rule matches.

    Or maybe Diagnostics > Connection List with appropriate filtering? (I just tried this and in my particular use case it unfortunately shows "No Rule" for the Rule ID, so maybe not foolproof.)

    Or maybe Diagnostics > Packet Capture? That seems to show Rule ID.

  • 0 in reply to Wayne Folta

    The only Policy Test I see is under the web protection/policy helpdesk. This becomes disabled when webfiltering is turned off.  I'm on a home license if that makes a difference.  Maybe I'm not looking for it at the right place... What's the exact path?

    I don't see diagnostics/connection list either.

    Are you in UTM or XG?  I'm using UTM.

  • 0 in reply to Jay Jay

    OOPS, I was looking at "Top postings" and got sucked into a UTM question. Sorry, I'm referring to the XG.

  • 0 in reply to PatrickLee

    You'll need to grow a thicker skin if you considered my response an attack.

    I was simply responding to your reply which didn't make much sense in the context of what I posted just above it. Sure, I can go back and edit each of the 60+ active rules to enable logging. This type of logging is not enabled by default. Then the firewall log should show which rule is allowing the traffic to pass. Doing this is quite inefficient and time consuming. Was hoping there was another mechanism that would reveal this information.

  • 0 in reply to Jay Jay

    My suggestion requires a bit of troubleshooting and apparently you're lacking in that department.  I never suggest enable all your FW rules

Unfiltered HTML