Issues with Amazon Echo and Sophos, Quick question.

The rule above does what it says on the tin. It allows access from you internal network to any network on the internet using any service.

That's it. It does not allow anybody from outside to initiate a connection to anything on you internal network. It's basically the same as what most consumer routers do for ease of use.

Now, the only issue with the rule is that if you get malware on your internal network eg via email or a download, that rule will apply to the malware. Once activated, it will be allowed to communicate to anything on the internet. Once it has established a connection outbound, the peer at the other end will be allowed to connect inbound.

It sounds as though you are new to all of this and you are asking some very valid questions with regards to security which mostly go over people's heads. I imagine you will start tinkering with this and have a bit of fun so the golden rule with firewall rules is:

The rules are queried from a top down position ie it will try rule 1, then rule 2, then rule 3 etc. The important bit - It will keep going to it matches a rule and then stop and will not query the rules anymore. If no rule is matched, it gets to the bottom of the rule list which normally has an explicit deny rule ie the packets get dropped which results in no connection.

So in you above example, it you new rule is at the top, it doesn't matter if you put a tighter rule underneath as the first one will match.

Now, you can put a rule above that eg internal > http > internet. Now everything on you internal lan using http will work with the this rule.
Will it block the other traffic? NO, because anything using https for example will not match the first rule but will then try the 2nd rule ie internal > any > internet and will then match that. If you disable this rule (by using the slider), you will then find that all other traffic will be blocked.
WHY? Because it has tried the first rule and has no match and then finally gets to the bottom and hits the implicit deny rule.

If you grasp this concept, you will have great fun with FW rules although they can get complicated as you build them.

Please remember that as you enable other features on the UTM eg web proxy, that they can have a bearing on what is allowed through eg web traffic flows but no FW rule to allow it.

The is also a thread on this forum that is called RULZ which people have taken a long time and effort to put together. It is an extremely valid piece of information with regard to the UTM and my advice would be to read it and then read it again. It will make your life so much easier if you are aware of what I call the UTM gotcha's......

Have a great time with the UTM and remember it can be as complicated or as simple as you want. Strive for the latter to achieve the former.

The rule above does what it says on the tin. It allows access from you internal network to any network on the internet using any service.

That's it. It does not allow anybody from outside to initiate a connection to anything on you internal network. It's basically the same as what most consumer routers do for ease of use.

Now, the only issue with the rule is that if you get malware on your internal network eg via email or a download, that rule will apply to the malware. Once activated, it will be allowed to communicate to anything on the internet. Once it has established a connection outbound, the peer at the other end will be allowed to connect inbound.

It sounds as though you are new to all of this and you are asking some very valid questions with regards to security which mostly go over people's heads. I imagine you will start tinkering with this and have a bit of fun so the golden rule with firewall rules is:

The rules are queried from a top down position ie it will try rule 1, then rule 2, then rule 3 etc. The important bit - It will keep going to it matches a rule and then stop and will not query the rules anymore. If no rule is matched, it gets to the bottom of the rule list which normally has an explicit deny rule ie the packets get dropped which results in no connection.

So in you above example, it you new rule is at the top, it doesn't matter if you put a tighter rule underneath as the first one will match.

Now, you can put a rule above that eg internal > http > internet. Now everything on you internal lan using http will work with the this rule.
Will it block the other traffic? NO, because anything using https for example will not match the first rule but will then try the 2nd rule ie internal > any > internet and will then match that. If you disable this rule (by using the slider), you will then find that all other traffic will be blocked.
WHY? Because it has tried the first rule and has no match and then finally gets to the bottom and hits the implicit deny rule.

If you grasp this concept, you will have great fun with FW rules although they can get complicated as you build them.

Please remember that as you enable other features on the UTM eg web proxy, that they can have a bearing on what is allowed through eg web traffic flows but no FW rule to allow it.

The is also a thread on this forum that is called RULZ which people have taken a long time and effort to put together. It is an extremely valid piece of information with regard to the UTM and my advice would be to read it and then read it again. It will make your life so much easier if you are aware of what I call the UTM gotcha's......

Have a great time with the UTM and remember it can be as complicated or as simple as you want. Strive for the latter to achieve the former.

Thanks for your replies, this makes so much sense. Your replies surely motivates me to look deeper into network security with passion and dedication rather than an urge to follow the crowd and install/setup layers without understanding them.

I really want to tighten this one rule I have created for the Amazon Echo to work.

I was thinking, if there is a way where i could find the logs or packets that amazon echo sends and receives each time i ask the echo for timers, alarms and other generic questions.

This way, i can just allow only those protocols and packets to be allowed out and inside of the network?

Can if you or anyone else here can help me find/locate where i can get that data, i can just post some screenshots or logs only for the amazon echo traffic, and let me know on how i can go about just enabling those rules/packets, it be great. This way i can disable the previously created generic rule.

I am sure other members here coming in the future with similar issues will find these tips when looking online here on the forum useful as well.

There are a raft of logs within the UTM eg firewall, web protection etc depending on how you have set it up.

With regards to where the echo is going, I suspect that you may find that not as straight forward as you thing as it will probably go to multiple addresses on multiple ports.

Yes, it could be locked down but it might take a little effort eg echo > echo ports > echo sites

If you are using just the firewall, click into that and you will find "Open live log" near the top. Open that, make your connection on the echo and watch the logs. You might have to enable "log this connection" in your firewall rule as the UTM will only log blocked connections until told otherwise.

If using web protection ie the web proxy, you need to click in there and open that log and then use your echo to see where it's hitting.

Alternatively (and the best way) is to ssh into the UTM and use tcpdump with the echo ip as the source. It's a more advanced way but it's much cleaner and will give you the info you want.

First, as Luis suggested, check Rulz. It's the ultimate get-to-know-your-sophos-device guide, put together by one of the most Sophos experienced guy I've seen.

As for your question, it seems the blocking only occurs at the firewall level, so I'm assuming you are not using web protection or this service is not doing HTTP/S.

For starters, know that the firewall usually only logs dropped packets by the default block rule, so right now your firewall is not logging anything coming out of your internal network and going to the internet, as you most likely did not enable logging on your rule. To start logging and restrain this logging only to your Amazon Echo device, create a rule allowing communication to anything on the internet coming from Amazon Echo device's IP and enable logging on it.

To do so, you'll need to create a network definition containing your Amazon Echo's IP address and create a firewall rule like the one bellow, allowing traffic:

IP_of_amazon_echo_device - Any - Internet IPv4.

Remember to enable "Log Traffic" under "Advanced" and then put this rule above your previous created rule. This is important: rules are applied by their order, so this rule must be above the other rule you've created to take effect. That way your firewall will log any packets that traverse through the UTM coming from your Amazon Echo device.

Now you need to monitor your firewall log - Expand Network Protection / Firewall / click on Live Log and look for the lines colored green. Those should be the packets from you Amazon Echo device. Do some using on your device and monitor for a while, taking a note of all protocols, ports, and destination addresses. Then tweak your rule replacing "Any" and "Internet IPv4" with the ports, protocols and destinations you have collected. You'll need to disable your "Internal Network - Any - Internet IPv4" to test your tweaked rule properly.

Keep in mind that you might have to allow multiple destination addresses owned by Amazon to make this work. When it comes to Amazon I usually track down the destination IP, run a Whois on it to get the whole network space and allow the whole network space as destination, as those services are usually using multiple servers hosted at Amazon.

Enjoy your Sophos experience!

Regards - Giovani

Hi, and welcome to the UTM Community!

As Louis said, check the Rulz. #1 is the place to look for this issue although you already know it was an implicit firewall rule denying access - look for fwrule="60003" (and maybe fwrule="60002")in the Firewall log file.

Cheers - Bob