Sophos creates "Auto-generated rule" entries in Firewall log

RE: Sophos creates "Auto-generated rule" entries in Firewall log

Rumak18 — Mon, 20 Sep 2021 18:56:00 GMT

No, it's not about DNS, although i've given you an example with DNS.

It definitely concerned the whole traffic from this machine. Especially as i've seen first SMTP with 587. And that's originally what i've been doing and what caused the block for 24 hours with such log files. Every blocked traffic from this machine had this id "60023" , no matter which port from this blocked machine.

RE: Sophos creates "Auto-generated rule" entries in Firewall log

BAlfson — Mon, 20 Sep 2021 15:31:30 GMT

fwrule="60023" is new to me and not found in the documentation. My guess is that 19.168.130.90 is set to use the UTM for DNS (dstport="53"), but is not included in 'Allowed Networks' for DNS in WebAdmin. If that's not it, what does Sophos Support have to say?

Cheers - Bob

RE: Sophos creates "Auto-generated rule" entries in Firewall log

Rumak18 — Mon, 20 Sep 2021 06:55:16 GMT

Hi,

so here is the full log entry from /var/log/packetfilter/2021/09/packetfilter-2021-09-17.log.gz

2021:09:17-08:23:45 MYSGNAME-1 ulogd[5081]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60023" initf="eth0.130" srcmac="00:1b:32:56:bd:7f" dstmac="00:1b:8c:f0:ba:20" srcip="192.168.130.90" dstip="192.168.130.1" proto="17" length="66" tos="0x00" prec="0x00" ttl="64" srcport="48055" dstport="53"

RE: Sophos creates "Auto-generated rule" entries in Firewall log

BAlfson — Sun, 19 Sep 2021 12:15:28 GMT

Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly. Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file. Please post the line corresponding to the one above. If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51. That lets us see immediately which IPs are local and which are identical or just in the same subnet.

Cheers - Bob

RE: Sophos creates "Auto-generated rule" entries in Firewall log

Rumak18 — Sat, 18 Sep 2021 21:02:30 GMT

@ Amodin:

No, it's no XG. IT's a SG430. And in fact, this is the log. Of course, there is still some information about source MAC and target MAC, but in the end that's all. And it lasted as predicated for exactly 24 hours as i've retyped too many times (5 imes?) the wrong passwort for SMTP sending with telnet. So, in fact this was a behaviour i would expect from sophos. BUT how can one revert this for specific ips.

@Balfson:

As already written, yes, this is a copy from the firewall log (GUI) . I can send the whole line (With mac information) but i don't think this will help us to stop such a rule.

Thank you to both of you!

RE: Sophos creates "Auto-generated rule" entries in Firewall log

BAlfson — Sat, 18 Sep 2021 17:33:30 GMT

If that's copied from the Live Log, show us the corresponding line from the full Firewall log file.

Cheers - Bob

RE: Sophos creates "Auto-generated rule" entries in Firewall log

Amodin — Fri, 17 Sep 2021 13:31:21 GMT

Is this XG? The UTM logs don't look like this. If it is XG, you may want to post on their forum site. If you are using UTM, you can post the logs here.