Sophos Firewall Rule Not Matching: Check Causes
If a firewall rule is not matching, it is rarely because the firewall is “broken.” Usually, a condition does not fit, a more general rule is above it, NAT changes the view of the traffic, user matching is not fulfilled, or logging is not properly activated.
This checklist helps to proceed systematically instead of randomly tweaking rules.
Orientation
Start with a clear test case before changing rules or security features.
Which Article Fits?
Rule issues quickly overlap with NAT, routing, VPN, Device Access, or security features. For analysis, it should first be clear which level is affected:
- Understand a firewall rule from scratch: Understand and Properly Configure Sophos Firewall Rules
- Test individual connection with Log Viewer, Policy Tester, and Packet Capture: Test Firewall Rule with Log Viewer, Policy Test, and Packet Capture
- NAT, SNAT, DNAT, MASQ, or PAT is involved: Understand NAT on Sophos Firewall
- A server is published from the internet via DNAT: Publish Server via DNAT
- Access is to WebAdmin, VPN Portal, SSH, DNS, or SNMP of the firewall: Properly Configure Device Access
- Route, SD-WAN, or return path is unclear: Adjust Routing Priority on Sophos Firewall
- Packets need to be checked directly on the firewall: Use Packet Capture in WebAdmin
This separation is important because a firewall rule does not control every type of access. Local services of the firewall, NAT decisions, routing, and security features have their own checkpoints.
Quick Narrowing
At the beginning, you should not immediately move rules or change objects. First, narrow down where the traffic is lost.
- Rule counter remains
0: Rule position, zone, source, destination, service, or schedule does not fit - Log Viewer shows a different rule: A more general or automatically generated rule is higher up
- Log Viewer shows nothing: Logging is missing or the traffic does not reach the firewall
- Packet Capture sees no packet: Problem is before the firewall: client, VLAN, switch, gateway, provider, or cloud security group
- Packet Capture sees packets but no forward: Firewall rule, NAT, routing, or security feature blocks
- Packet Capture sees forward but no response: Check return route, target system, NAT, or external firewall
This separation saves time. If the firewall does not see a packet, no change to a firewall rule will help. If the Log Viewer shows a different Rule ID, the order is more important than the affected target rule. If packet flow and Rule ID are correct, the analysis shifts to NAT, return path, or security features.
Define Test Case Clearly
A rule can only be meaningfully tested if the test case is clear. Statements like “Internet doesn’t work” or “VPN doesn’t work” are too broad. For troubleshooting, a specific flow is needed.
Before the test, it should be clear:
- Source IP: Client
10.10.20.35 - Source zone:
LAN,VPN,DMZ, or custom zone - User: Authenticated user or no user matching
- Destination: Server IP, FQDN, public IP, or WAN object
- Service: TCP
443, UDP53, ICMP, custom service - Expected rule: Rule name or Rule ID, if known
- Expected NAT rule: NAT Rule ID or rule name, if NAT is involved
- Test time: Exact time for Log Viewer and later log files
Then the same test is repeated. If during the analysis the source IP, destination, DNS resolution, or port changes, you are no longer comparing the same case.
Combine Analysis Tools Correctly
Sophos Firewall offers several tools that answer different questions. None of them alone is complete proof.
- Rule counter: Does the new test traffic fundamentally hit the rule? Does not show why an application still fails
- Log Viewer: Which Rule ID, NAT Rule ID, action, user, or security function was logged? Depends on logging and session end
- Policy Tester: Which policy logic would apply for a defined flow? Does not replace real packet flow and does not fully map SD-WAN
- Packet Capture: Do packets arrive, are they forwarded or dropped? Does not explain every application layer and needs tight filters
- Service logs: Does a module like Web, IPS, Authentication, or VPN have its own problem? Only useful when the affected service is narrowed down
For a reliable finding, combine at least Log Viewer and a real test. In case of contradictory results, Packet Capture is usually the next step because it shows whether packets actually arrive and continue.
Decision Tree for the First Test
For the first analysis, a short decision tree is often sufficient. It prevents working on rules, NAT, and routing simultaneously right away.
- Packet Capture sees no packet: Check client, VLAN, switch, gateway, provider, cloud security group, or upstream firewall
- Packet Capture sees packet, Log Viewer remains empty: Check logging, log type, session end, and appropriate BPF filter
- Log Viewer shows different Rule ID: Compare rule order, zones, source, destination, service, and schedule
- Firewall Rule ID matches, NAT Rule ID does not: Check NAT order and
Originalfields - Rule ID and NAT ID match, but no response comes back: Check return route, target system, local firewall on the server, or external block
- Rule only matches for certain users: Check user matching, group, authentication, and clientless user
This keeps the analysis controlled: First, prove whether the traffic reaches the firewall. Then check which rule and which NAT rule actually apply. Only when these two points are correct does it make sense to search for return path, security features, or application layer.
Understanding Rule Matching
Sophos Firewall processes rules in order. The first suitable rule wins.
First Principle: The First Matching Rule Wins
Sophos Firewall processes firewall rules from top to bottom. As soon as a rule matches, subsequent rules are no longer checked. The same basic principle also applies to NAT rules.
Important:
- The position in the list determines the evaluation.
- The Rule ID is only a reference and says nothing about the current order.
- Rule groups help with the overview but are not their own match logic.
- A general rule above can completely “swallow” a specific rule below.
If a rule is not matching, check the position first.

Reset Rule Counter
In case of unclear hits, it helps to reset the rule counter.
- Open Rules and policies > Firewall rules.
- Find the affected rule.
- Open the three-dot menu.
- Select Reset data transfer count.
- Reproduce the traffic.
- Check the counter after the test.

If the counter does not increase, the rule is not matching. If it increases but the application still does not work, the problem is more likely with security profiles, NAT, routing, return path, or target system.
Check Matching Fields
A firewall rule only matches if all relevant criteria fit.
- Source zones: Wrong zone, VLAN is in another zone, VPN traffic comes from
VPN - Source networks and devices: Wrong object, wrong IP, host group incomplete
- Destination zones: Wrong destination zone, especially with DNAT or VPN
- Destination networks: Pre-NAT and post-NAT view confused
- Services: Port missing, TCP/UDP confused, application uses additional ports
- Users or groups: User is not authenticated or wrong group
- Schedule: Schedule does not currently fit
- Exclusions: Traffic is excluded from the rule and processed further below

For web traffic, you should also check if QUIC is active. If browsers send traffic over UDP 443, some web filter and scanning expectations apply differently than with classic HTTPS over TCP.
More on this: Sophos Firewall and the QUIC Protocol.
Do Not Overlook DNS, FQDN, and IPv6
A rule can look correct and still not match if the client reaches a different target than expected. This often happens with FQDN objects, split DNS, CDN services, IPv6, or applications that use multiple targets in parallel.
Before changing rules, you should check:
- Which IP does the client actually resolve?: DNS cache, split DNS, or another resolver can deliver a different address than expected.
- Is it IPv4 or IPv6?: IPv4 rules do not match IPv6 traffic. If clients prefer IPv6, the IPv6 side must be checked separately.
- Is an FQDN host used in the firewall?: The firewall must resolve the FQDN and know the current target IP. CDN or cloud services can deliver multiple changing IPs.
- Does the application use additional targets?: Login, API, updates, telemetry, or media paths can use different domains and ports than the main application.
- Does an internal client use the public name of an internal service?: Then split DNS, loopback NAT, or incorrect public resolution are possible causes.
For troubleshooting, it is crucial not only to note the hostname but to compare the actually used target IP in the Log Viewer or Packet Capture. If a rule points to a specific FQDN or host object, but the client uses a different IP, the rule will not match.
For internal name resolutions, clean DNS request routes help. The procedure is described in Set Up DNS Request Routes on Sophos Firewall. If IPv6 is active in the environment, you should also check whether IPv6 is consciously planned and the appropriate policy is in place. Basics on this are in Set Up IPv6 Prefix Delegation on Sophos Firewall.
A common special case is FQDN objects. If clients prefer IPv6, but a rule only uses IPv4 objects or an FQDN host with IPv4 resolution, the actual IPv6 flow will not match. The rule then looks technically correct, but it does not process the traffic that is actually on the wire. In such cases, DNS answer, IP version, and policy should be checked separately.
Traffic to the Firewall Itself Is a Special Case
Not every access to a Sophos Firewall is controlled by normal firewall rules. If the client is to reach the firewall itself, for example, WebAdmin, User Portal, VPN Portal, SSH, IPsec, SSL VPN, DNS, or SNMP, Device Access and Local service ACL are crucial.
Typical examples:
- WebAdmin from LAN or WAN: Device Access, Local service ACL, MFA, admin permission
- VPN Portal or User Portal: Device Access, portal configuration, user permission
- SSH to the firewall: Device Access, Local service ACL, admin rights, source network
- SSL VPN or IPsec dial-in: Device Access for the appropriate zone, VPN configuration, authentication
- DNS to the firewall: Device Access, DNS configuration, request path
- SNMP to the firewall: Device Access, SNMP configuration, monitoring source
If a firewall rule does not match for such traffic, it is often not a rule error. The traffic ends on the firewall and is treated as a local service. For hardening these services, Secure Sophos Firewall Access: Properly Configure Device Access is the central article. For portals, additionally, Overview of Sophos Portals fits.
Check NAT, DNAT and IDs
For DNAT traffic, firewall rules and NAT rules must be read together.
Read DNAT Correctly
With DNAT, the view in firewall rules is particularly important. As a rule of thumb, remember:
Firewall rules for DNAT traffic use the destination zone after NAT, but the destination IP before NAT.
Example:
- External client connects to the WAN IP of the firewall.
- NAT translates to an internal server in the
DMZ. - The firewall rule uses the destination zone of the internal server, such as
DMZ. - The destination network remains the public IP or WAN object that the client addressed.
If this combination is wrong, the NAT rule may look correct, but the firewall rule still does not match.
More on this: Publish Server via DNAT on Sophos Firewall.
Check NAT Rules
NAT does not allow traffic. NAT only translates. It always needs an additional matching firewall rule.
Under Rules and policies > NAT rules, you should check:
- Is the appropriate NAT rule above more general NAT rules?
- Is the rule active?
- Do original source, destination, and service match?
- Do translated source, destination, and service match?
- Is
MASQor a fixed SNAT IP used? - Is there a linked NAT rule that unexpectedly applies?
- Is there a generic SNAT rule that matches before a more specific rule?
Sophos generally recommends standalone NAT rules for simple environments instead of creating a linked NAT rule per firewall rule.
More on this: Understand NAT on Sophos Firewall: SNAT, DNAT, MASQ, PAT.
Read Firewall Rule ID and NAT Rule ID Together
When NAT is involved, the question “Which firewall rule applies?” is not enough. A connection can hit the expected firewall Rule ID but still run over a wrong NAT Rule ID. Conversely, a NAT rule can look correct while a more general firewall rule above already processes the traffic.
For the test, you should note in advance:
- Expected Firewall Rule ID: Shows whether the correct firewall rule allows or blocks the traffic
- Expected NAT Rule ID: Shows whether the correct SNAT, DNAT, MASQ, or PAT rule translates
- Actual IDs in Log Viewer: Proves whether the firewall processes the flow as planned
- IDs in Packet Capture: Helps if the Log Viewer seems incomplete or the return path is unclear
The interpretation is relatively simple but saves a lot of search time:
- Firewall Rule ID matches, NAT Rule ID is wrong: Check NAT order,
Originalfields, and more general NAT rules - NAT Rule ID matches, Firewall Rule ID is wrong: Check firewall rule order, zones, source, destination, and service
- Both IDs match, connection still fails: Check return path, target server, security feature, or application
- No NAT Rule ID visible, although NAT is expected: Recheck test flow, NAT criteria, direction, and logging
It is important not to immediately rebuild both rule sets simultaneously. First, decide whether the problem lies in firewall matching or NAT matching. Only then should you change a specific rule position, object, or field. The more detailed NAT evaluation is in the section Read Firewall Rule ID and NAT Rule ID Correctly.
Check Users, Routing and Security Features
User matching, routing, NAT, logging and security profiles can all affect whether a rule applies.
Check User Matching and Authentication
Rules with user or group matching often look correct but only apply if the firewall can actually assign the user to the traffic at that moment.
To check:
- Is the user visible in the Log Viewer?
- Does the traffic come from the expected device or another client?
- Is the user in the correct firewall group?
- Does AD SSO, STAS, Captive Portal, RADIUS, or Entra ID SSO work?
- Does a rule without user matching apply above the planned user rule?
- Are there clientless users that are treated differently?
- Is MFA or portal access successful, but the firewall rule for the actual user traffic wrong?
For remote access, you should separate user problems and VPN problems. A user can log in successfully but still not reach an internal application if the VPN pool, firewall rule, NAT, or routing does not fit. For AD basics, Add Active Directory on Sophos Firewall fits, for Entra-based remote access scenarios Microsoft Entra ID SSO for Sophos Connect and VPN Portal. If the user is logged in via Captive Portal with Entra ID SSO, Set Up Microsoft Entra ID SSO for Sophos Firewall Captive Portal fits.
Separate User Login and Rule Matching
A successful login at the VPN Portal, User Portal, Captive Portal, or via Microsoft Entra ID SSO does not yet prove that the planned user rule matches the actual traffic. The login first only confirms authentication. Then the firewall must correctly combine the user, source IP, group, and traffic flow.
For analysis, you should separately check:
- User logs in, rule counter remains
0: Check VPN pool, source zone, source network, group condition, or rule position - User field in Log Viewer is empty: Check STAS, Captive Portal, AD SSO, Entra ID SSO, or clientless user
- User is visible, but wrong rule applies: Check rule order, group filter, or more general rule above
- Only VPN users are affected: Check zone
VPN, VPN pool, SSL/IPsec configuration, and Sophos Connect profile - Only individual users are affected: Compare UPN, email address, imported group, and firewall group
In local AD environments, STAS and Add Active Directory on Sophos Firewall help. In Entra-based setups, depending on the login path, Microsoft Entra ID SSO for Sophos Connect and VPN Portal or Entra ID SSO for Captive Portal should be checked. If many users or clientless users are involved, the Sophos Firewall User-ID Limit may also become relevant.
Check Routing and SD-WAN
If the rule matches but the connection does not work, routing may be the problem.
Check:
- Is there a suitable default route?
- Is there a static route?
- Does an SD-WAN route apply?
- Is the gateway active?
- Are there return routes on the target system or in the remote network?
- Is the return path symmetrical?
- Does traffic go over VPN, MPLS, or another interface than expected?
Important: The Policy Tester does not fully map SD-WAN routing. It is very helpful for firewall, SSL/TLS, and web policy decisions but does not replace a real packet flow test.
More on this: Adjust Routing Priority on Sophos Firewall.
Enable Logging
Without logs, troubleshooting becomes tedious. Check two places:
- In the firewall rule, Log firewall traffic must be enabled.
- Under System services > Log settings, the appropriate log type must be enabled locally, for Sophos Central, or for Syslog.
The Log Viewer typically shows firewall sessions when the firewall ends a connection and receives a Destroy event. If an internet connection simply drops, it may be that not every session appears as expected.
Open the Log Viewer at the top right in the WebAdmin console. Useful filters are:
- Source IP
- Destination IP
- Port or service
- Rule ID
- Rule name
- Action
- User
- NAT rule ID

More on this: Sophos Firewall Troubleshooting: Services and Logs.
Use Packet Capture
If Log Viewer and rule counter are not enough, use Diagnostics > Packet capture.
The most important question is whether the packet arrives, is forwarded, or already gets stuck on the firewall.

- No packet arrives: Problem is before the firewall: client, switch, VLAN, gateway, provider, cloud security group
- Packet comes in but does not go out: Check firewall rule, NAT, routing, or security feature
- Packet goes out but no response comes back: Check return route, target system, NAT, or external block
- Packet is shown with
Violation: Policy or security feature blocks - Packet shows NAT ID and Rule ID: Compare rule and NAT hits specifically
More on this: Use Packet Capture Tool in WebAdmin.
Do Not Change Multiple Things at Once
With rule problems, it is tempting to adjust position, service, NAT, web policy, and routing simultaneously. This sometimes temporarily solves access but makes the cause difficult to trace later.
Better is a step-by-step approach:
- Note the initial state: Rule ID, NAT ID, source, destination, service, time.
- Make exactly one change.
- Repeat the test with the same source IP and destination.
- Compare Log Viewer and Packet Capture again.
- Document the result.
- Only then check the next change.
For productive rules, it should also be clear whether a change is permanent or only serves as a test rule. Temporary rules should have an owner and an expiration date, otherwise, they often remain in the rule set for years.
Check Security Features Individually
If the rule matches but the application does not work, a protection profile may intervene:
- Web Policy
- SSL/TLS inspection rule
- Decryption Profile
- IPS Policy
- Application Control
- Malware Scan
- Zero-day protection
- Security Heartbeat
- Traffic Shaping
For tests, you cannot disable everything permanently. It is better to briefly check specifically, observe the Log Viewer, and then cleanly fix the cause. For TLS Inspection, the article Roll Out TLS Inspection on Sophos Firewall Step by Step helps.
For productive rules, you should not consider security features as a collective block. It is better to narrow down one module after another:
- Web category or URL is blocked: Check web policy, category, exception, and Log Viewer
- Application is misidentified: Check application control and IPS log
- HTTPS page only loads without inspection: Check SSL/TLS inspection rule, CA distribution, decryption profile, and exceptions
- Connection breaks with large data: Check MTU/MSS, VPN path, fragmentation, and Packet Capture
- Hits in IPS or Zero-day Protection: Evaluate signature, policy, target system, and false-positive risk
- Only individual users affected: Check user matching, security heartbeat, group, and authentication
If a protection profile is removed for a test, the change should be narrowly limited: only the affected source, only the specific target, only for the test period. Then restore the original protection effect or document a targeted exception.
Check Change History
If a rule worked yesterday and no longer works today, do not only check the current rule content. Often an object, rule position, NAT rule, group, service, or Central policy was changed shortly before.
Practical checks:
- Was the firewall rule itself changed?: Audit Trail, Config Studio, rule description
- Was a referenced object changed?: Hosts and services, Audit Trail, Config Studio
- Was the rule position moved?: Firewall rule list, Audit Trail
- Was a Central policy pushed?: Sophos Central Task Queue and local firewall view
- Was a NAT rule or SD-WAN route changed?: NAT rules, routing, Audit Trail, Packet Capture
For traceability, Check Sophos Firewall Audit Trail Logs and Use Sophos Firewall Config Studio fit. If the change comes from Sophos Central, also check the Sophos Central Firewall Management Task Queue.
Practical Process and Typical Causes
Most rule-matching problems can be narrowed down quickly with a fixed troubleshooting sequence.
Common Causes
- Rule counter remains 0: Rule position, source zone, destination zone, or service wrong
- Log shows different rule: More general rule is above
- No log visible: Logging not active or traffic does not reach the firewall
- DNS works, web does not: Check service, web policy, TLS inspection, or QUIC
- Hostname fits, but target IP is different: Check DNS, FQDN object, split DNS, CDN, or IPv6
- HTTPS is not scanned: No suitable SSL/TLS inspection rule or CA not distributed
- DNAT does not work: Firewall rule uses wrong destination zone or wrong destination network
- VPN traffic does not match: Check zone
VPN, route, tunnel interface, or XFRM context - Only some users affected: Check user matching, group, SSO, captive portal, or heartbeat
Practical Procedure
- Note problem with source IP, destination, port, user, and time.
- Check rule position.
- Reset rule counter.
- Reproduce test.
- Filter Log Viewer with source IP and destination IP.
- Check NAT rule and routing.
- Start Packet Capture with a tight filter.
- Only check security profile specifically.
- Document change.
For a combined test procedure, see Test Firewall Rule with Log Viewer, Policy Test, and Packet Capture.
Checklist for Rule Troubleshooting
- Defined specific test case with source, destination, service, user, and time.
- Checked rule position and reset rule counter for the test.
- Log Viewer shows the expected Rule ID or a comprehensible other rule.
- DNS resolution, actual target IP, and IP version were matched with the test case.
- For DNAT, destination zone after NAT and destination network before NAT are correctly set.
- NAT Rule ID was checked if NAT is involved.
- Traffic to the firewall itself was separated from traffic through the firewall.
- User matching was only evaluated if the user is visible in the Log Viewer.
- For user rules, login, user assignment, and actual rule decision were evaluated separately.
- Routing, SD-WAN, gateway, and return path were checked.
- Packet Capture shows
Incoming,Forwarded,Violation, or missing response comprehensibly. - Security features were checked individually and not permanently disabled.
- Test changes are documented, and temporary rules have an owner and expiration date.