Shopping Cart

No products in the cart.

Sophos Firewall – Detecting dropped packets

Sophos Firewalls can drop packages for various reasons. This article explains how to recognize dropped packages, which tools are available for this and how common problems can be solved by appropriate configurations.

Identify discarded packages

To recognize dropped packets, use the Sophos Firewall log viewer. This shows which modules are responsible for dropping a packet. The most important modules include:

  • Firewall
  • Web filter
  • Application filter
  • Intrusion Prevention System (IPS)
  • Advanced Threat Protection (ATP)
  • Web Protection

By using filters in the Log Viewer, you can search specifically for discarded packages. For example, you can set a filter that only shows packets that are not allowed.

Step-by-step instructions

  1. Open the Log Viewer.
  2. Select the corresponding module (e.g. firewall).
  3. Add a filter that displays the discarded packages.
    • Set the filter for “Log Subtype” to “Is Not Allowed”.
  4. Analysis of the discarded packages based on the messages in the Log Viewer.

Please note that the Log Viewer only saves a limited number of logs and is not suitable for real-time monitoring. For real-time analysis, we recommend using the Packet Capture Tool.

Frequent error messages for discarded packages

Discarded packages can have various causes, which are displayed in the Log Viewer. The most common error messages include

  • Invalid Packet: Refers to rejected TCP RST or TCP FIN packets to prevent attacks.
  • No ICMP Record Found: A response ping was received without a corresponding request and discarded.
  • Could Not Associate Packet to Any Connection: The packet does not belong to any known connection and is discarded.

Another scenario that can lead to dropped packets is asymmetric routing, where the firewall cannot assign the packets correctly.

Using the Packet Capture Tool

The Packet Capture Tool enables a detailed analysis of data traffic. This allows administrators to see which firewall rules and security functions influence the data flow. For example, it can be determined whether the web filter or another security function is blocking the packet.

Step-by-step instructions

  1. Navigate to Diagnostics > Packet Capture.
  2. Configure the packet filter with the relevant IP addresses and protocols.
  3. Activate packet capture while the problem is being reproduced.
  4. Analysis of the recorded packets with regard to dropped or blocked connections.

Troubleshooting using examples

The following describes some common scenarios in which packages are discarded and the corresponding solutions.

Dropped packets due to firewall rules

Example: An internal computer cannot ping another computer in the network.

  • Use the Packet Capture Tool to check whether the packets are received and forwarded by the firewall.
  • If the packets are not forwarded, a missing firewall rule could be the problem. A new rule that allows ping traffic solves the problem.

Discarded packages due to web filter

Example: A website such as youtube.com is blocked.

  • Check the web filter logs in the Log Viewer.
  • If the website is blocked due to a policy, a new URL group can be created to allow specific websites while others remain blocked.

Best Practices

  • Avoid excessive exceptions: By creating exceptions for web filters, ATP or other security modules, administrators should ensure that network security is not compromised.
  • Regular log monitoring: As the Log Viewer only saves a limited number of logs, it should be checked regularly to see whether discarded packets are critical or can be ignored.
  • Use of real-time tools: The Packet Capture Tool is indispensable for effective troubleshooting, as it provides detailed information about packet traffic in real time.

Video

Further information and detailed instructions can be found in this video