Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 40 subscribers
  • Views 3052 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New Drop all Rule in V 18

BeEf

I just noticed that Sophos added a (disabled) Drop All rule in V18. 




AFIK in V 17.5 you had to add this manually (Explicit Deny) and it was necessary to add all Zones manually in order that all packerts were captured.

Is this restriction gone as well as the need to create a Explicit Deny rule if you want to see the dropped packages in the eventlog once

You activate Drop All and activate the logging?

Regards,
Bernd



This thread was automatically locked due to age.
  • +1

    Its not disabled. The Drop All Rule is simply a rule on the bot, which indicates to the administrator, that there is a implicit deny. Logging is not possible until you build your own rule, as you did. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    What do you get when you enable log invalid traffic, doesn't that come from the default drop?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to LuCar Toni

    Why isn't logging enabled on the default Drop rule? This makes no sense to me.

  • 0 in reply to SG001

    The logging of Sophos XG is improvable anyway (in many ways) ...

    But I see the that logging all without the possibility to deselect would create very big logs.

    So the Drop All ist just made visible what was invisible in Version 17.x.

    However I do not see the point why this is necessary. Most other firewalls have a "normal" deny rule at the end.

    (Theroretically it is also possible to program most firewalls to allow everything that is not forbidden. This is not possible with Sophos with the old and new implicit deny. We see the two approaches also in other paradigms in IT (websites, filesystems, ....).

  • 0 in reply to BeEf

    Simply to show the administrator, he does not have to do it. You never know, which person is sitting in front of the webadmin. Some products on the market does not have this default drop. So they configure one, as they do not see any drop rule. 

    This rule (0) is simply to show the administrator, there is something, which picks up all traffic in the end and drops it. 

    __________________________________________________________________________________________________________________

  • 0 in reply to SG001

    This is something, which will be enabled in the future. 

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk

    Invalid Traffic is traffic, which does not match to conntrack (existing sessions). Hence its invalid. Default drop is traffic which does not have a session in the first place. 

    __________________________________________________________________________________________________________________

Unfiltered HTML