This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos creates "Auto-generated rule" entries in Firewall log

Hello folks,

i'm testimg with SMTP settings in Sophos right now and have approximately five failed logins to the smtp sophos server. Now the source IP of my host is blocked completely by sophos.

In Firewall Packet Filter Log i see the following entries , but this concerns every packet that is now generated by 192.168.130.90.

192.168.130.1 is my sophos. 

09:16:48 Auto-generated rule UDP  
192.168.130.90 : 39846
192.168.130.1 : 53

There is no packet filter rule that corresponds with this behaviour. I guess it was created automatically for 24 hours as i have seen this behaviour for some time. But how can i revert these settings for these trustworthy hosts?



This thread was automatically locked due to age.
Parents
  • @ Amodin:

    No, it's no XG. IT's a SG430. And in fact, this is the log. Of course, there is still some information about source MAC and target MAC, but in the end that's all. And it lasted as predicated for exactly 24 hours as i've retyped too many times (5 imes?) the wrong passwort for SMTP sending with telnet. So, in fact this was a behaviour i would expect from sophos. BUT how can one revert this for specific ips. 

    @Balfson: 

    As already written, yes, this is a copy from the firewall log (GUI) . I can send the whole line (With mac information) but i don't think this will help us to stop such a rule. 

    Thank you to both of you! 

Reply
  • @ Amodin:

    No, it's no XG. IT's a SG430. And in fact, this is the log. Of course, there is still some information about source MAC and target MAC, but in the end that's all. And it lasted as predicated for exactly 24 hours as i've retyped too many times (5 imes?) the wrong passwort for SMTP sending with telnet. So, in fact this was a behaviour i would expect from sophos. BUT how can one revert this for specific ips. 

    @Balfson: 

    As already written, yes, this is a copy from the firewall log (GUI) . I can send the whole line (With mac information) but i don't think this will help us to stop such a rule. 

    Thank you to both of you! 

Children
  • Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post the line corresponding to the one above.  If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    so here is the full log entry from /var/log/packetfilter/2021/09/packetfilter-2021-09-17.log.gz

    2021:09:17-08:23:45 MYSGNAME-1 ulogd[5081]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60023" initf="eth0.130" srcmac="00:1b:32:56:bd:7f" dstmac="00:1b:8c:f0:ba:20" srcip="192.168.130.90" dstip="192.168.130.1" proto="17" length="66" tos="0x00" prec="0x00" ttl="64" srcport="48055" dstport="53"

  • fwrule="60023" is new to me and not found in the documentation.  My guess is that 19.168.130.90 is set to use the UTM for DNS (dstport="53"), but is not included in 'Allowed Networks' for DNS in WebAdmin.  If that's not it, what does Sophos Support have to say?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No, it's not about DNS, although i've given you an example with DNS.

    It definitely concerned the whole traffic from this machine. Especially as i've seen first SMTP with 587. And that's originally what i've been doing and what caused the block for 24 hours with such log files. Every blocked traffic from this machine had this id "60023" , no matter which port from this blocked machine.