After upgrading to SFOS 18.0.3 MR-3 our reject or drop rules stopped working for blocking WAN traffic.
I have the following top rule to test which is not working anymore :
Source zone: Any
Source networks and device: WAN_TEST - has my test external IP address
That is likely related to this: https://community.sophos.com/xg-firewall/f/discussions/122091/firewall-policy-drop-shows-block-page-on-http-connections/451510#451510
Sophos is working on a Fix for this…
Sounds like the traffic is not matching this WAN IP anymore.
If you look at the packet capture, can you see this traffic going out?
Another question, why should this rule match in the first place? XG is aware of the origin of the traffic. Hence you can also block it from the traffic origin and not on the WAN Port.
I had a Sophos support engineer on the line for 1h and this issue has been escalated now as he confirmed reject/drop rules are not working on my appliance.
If you have migrated to 18.0.3 MR-3 check if your reject/drop rules are still working - just as a precaution.
Can you show us the logviewer and the firewall Rule as a screenshot?
Because i have a guess, thats only 443/80 traffic(web)?
In this test yes it is 80/443 traffic, drop rule is ignored and I can see that traffic goes to the web publishing to a web server rule.
Sophos is working on a Fix for this behavior. Until this, you can simply remove the WAN zone from Source, this should resolve this.
The traffic is not "allowed" in total. The traffic is allowed by firewall and blocked by proxy.
A rule with source zone Any, destination zone Any, service HTTPS is not working as well.
The reject/drop rule is forwarding HTTP/s to the proxy module. Which is dropping the traffic. ANY - ANY will have the same issue.
The traffic is dropped (blocked by the proxy) but logviewer shows you the allow, as the firewall allows the traffic to the proxy.
The traffic is not dropped, I will have an escalation engineer looking into it hopefully today, I will post the outcome
How did you confirm, this is the case?
Can you post conntrack, tcpdump and logviewer screenshots?
Likely the traffic is dropped but shows a blockpage.
It has been confirmed by Sophos engineer that this is not working in our appliance so this is why they have escalated this to the next level. No contact from escalation engineer has been made as of yet.
Just wanted to understand, what is happening, as i still think, this is a known behavior and in fact is not allowed.
But if you do not want to investigate further i cannot help.