Sophos XG Firewall: Invalid Traffic

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

Since SFOS v17.0, there is something called "Invalid Traffic" on XG.

There is a KBA for this topic: https://community.sophos.com/kb/en-us/131754

It's important to understand the TCP Handshake and how a Connection works in TCP.

There are couple explanations available on the internet.

• Ex: https://www.geeksforgeeks.org/tcp-3-way-handshake-process/

Conntrack (The Connection tracking daemon on XG), will keep track of all Connections.

• After the Handshake is completed between a client and server, the connection is tracked on the XG.
• Any side can "kill" this connection. Most likely this will be by a RST (Reset) or FIN (Finish) packets.
• There are different reasons for a Server / client to send such packets.
  • https://stackoverflow.com/questions/251243/what-causes-a-tcp-ip-reset-rst-flag-to-be-sent
• But such packets will close and delete the connection on XG. Thats a normal way to act with such packets.
• But if one site decides to send multiple packets or respond to such packets, it will gets dropped by XG with Invalid Traffic.

Most likely this is not any issue at all. If a service is not working fine on the server site, the client will kill a session immediately and such traffic will be displayed as invalid traffic

There is no issue on the XG at all. It is an issue with the Client / server.

Another point are such "clean up" processes. 

• Web Server has a process or scheduled task to kill all "abandoned" sessions.
• Most likely a abandoned session on a web server is a session, which had no traffic in X hours.
• So the server will start to kill those Sessions and send multiple RST/FIN packets to the XG / Client behind the XG.

XG keeps such sessions for 3 hours per default. After 3 hours idle, XG will delete this session. If the web server sends a RST packet after 5 hours, XG will drop such packets as invalid traffic.

You can increase the Conntrack Timeout value to 24 Hours. Or you could decide to disable such invalid traffic logging.

Personal opinion: I disable Invalid Traffic on all my XG Appliances, because I have no value for such logging.