This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Default Drop in Forward Chain

We use the 8x8 Work Desktop application. The app employs WebRTC and I'm getting a few hundred thousand default drops for UDP packets going to 8x8 turn servers every 24 hours. The turn server IP addresses (all 8x8 IP addresses for that matter) are in the proxy skip list and have an IPS exception. I can't figure out where this drop is in the forward chain. The proxy is in transparent mode with the allow HTTP/S box checked. QoS is not applied to turn server traffic. The drop is happening for port 80 and 443.

Firmware version: 9.705-3

id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth2" srcmac="<redacted>" dstmac="<redacted>" srcip="192.168.xxx.xxx" dstip="129.159.81.24" proto="17" length="48" tos="0x00" prec="0x00" ttl="127" srcport="59581" dstport="443"

The firewall rule this is firing on is LAN1 -> <port allow list> -> intv4/intv6



This thread was automatically locked due to age.
  • Please show a picture of 'Allowed Networks' in Web Filtering and confirm which network contains "192.168.xxx.xxx."  Also a picture of the 'HTTPS Scan Settings' box.  Finally, a picture of the Edit of your firewall rule with the "LAN1" object open in Edit with 'Advanced' open as below:

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Have you had the opportunity to look at my reply?

  • FormerMember
    0 FormerMember in reply to Ryan Miller2

    Hi ,

    The firewall rule fwrule="60002" generally means the traffic was not destined for the UTM, and no firewall rule matched that packet (also, no transparent interception was applied). This is known as a 'Default Drop' because, by default, packets with no matching firewall rule are dropped.

    Please create a firewall rule matching the traffic's source, service, and destination to resolve this issue.

    Reference KBA: Packetfilter logfiles on the Sophos UTM.

    Thanks,

  • The strange thing to me is that the turn server IP addresses aren't on the 8x8 ACL list, but I added the host definition then I added the host definition to the 8x8 group that I have in the proxy skip list with the allow HTTP/S box checked (image below). The way I understand this is that Example 1 is fwrule 60001 (input chain) and is to identify drops because of an unopened port for internal to external traffic. Example 2 is fwrule 60002 (forward chain) and is to identify traffic that lacks any rules to route traffic that stays on the device such as internal to internal. In the case of example 2, the pentester is checking for access to our wireless LAN. Opening ports 80 and 443 would allow proxy bypass.

    These examples are from a recent pentest.

    Example 1

    id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="<redacted>" dstmac="<redacted>" srcip="192.168.0.xxx" dstip="<gateway>" proto="6" length="60" tos="0x00" prec="0x00" ttl="64" srcport="60414" dstport="445" tcpflags="SYN"

    Example 2

    id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="wlan0" outitf="eth0" srcmac="<redacted>" dstmac="<redacted>" srcip="192.168.50.xxx" dstip="192.168.0.xxx" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="62604" dstport="3128" tcpflags="SYN"

    I have all other ports for 8x8 opened on the firewall without drops. Only traffic over ports 80 and 443 are giving me problems.

  • Your firewall rule doesn't have the HTTPS service, Ryan  Although your current problem will be fixed by adding HTTPS, I would suggest you also change your Web Filtering configuration...

    'URL filtering only' on the 'HTTPS' tab means that only the very first connection of a user to a site with HTTPS goes through the web proxy.  After that, there's no control and no protection.   Best practice is 'Decrypt and scan'.  Doug Foster's excellent Securing and Configuring Web Filtering is a good place to get an overall understanding.  To avoid disruption, you will want to create a "Test" Web Filtering Profile with just your PC's IP in 'Allowed Networks' so that you can see what additional Exceptions and 'Transparent Mode Skiplist' entries you might need.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have an internal host group and standard mode web filter for TLS inspection for specific endpoints. I'm gradually bringing the rest of the endpoints into the TLS inspection group because of the administrative overhead needed for adding TLS scanning exceptions for websites based on our vertical. I haven't run into this issue before, even not having HTTPS in the firewall rule. Adding HTTPS, which is the second port tried by the application, won't fix the same connectivity issue with port 80. I had read that if you have a proxy subscription (transparent or standard mode) that you shouldn't have an HTTP or HTTPS firewall rule.

  • This is where I read that 80 and 443 are unnecessary in a firewall rule if the proxy is running.

    https://support.sophos.com/support/s/article/KB-000034248?language=en_US

  • I like your approach to rolling out 'Decrypt and scan', Ryan.  The Transparent Mode Skiplist is valid only for Transparent Mode and has no effect when the Proxy is used explicitly by the browser (Standard mode), so you do need an explicit firewall Allow for your internal host group.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have two groups for two web profiles. One group is no tls using transparent mode which is used for anything that isn't standard mode compatible and some hosts in this group are also on the transparent mode skip list with allow HTTP/S checked (which I thought took care of the explicit firewall rules). The tls inspection group has all hosts that are standard mode compatible. Both proxy modes are dropping turn server traffic and turn server traffic only. All other traffic over 80 and 443 (IP and web) are passed through without issue. If traffic over port 80 is being dropped then what does adding 443 do? Based on the documentation compared against my configuration, I don't see that I need to add an explicit firewall rule that would pass the traffic that's being dropped. I'll add 80 and 443 in the firewall and get back to you as to whether or not the dropping has stopped.