Skip to content
Avanet

Sophos Firewall rule not matching: check causes

Sophos Firewall

When a firewall rule does not match, the firewall is rarely “broken”. Usually one condition does not fit, a more general rule is above it, NAT changes how the traffic is seen, user matching is not fulfilled or logging is not enabled cleanly.

This checklist helps work systematically instead of changing rules at random.

First principle: the first matching rule wins

Sophos Firewall processes firewall rules from top to bottom. As soon as a rule matches, subsequent rules are no longer checked. The same basic principle also applies to NAT rules.

Important:

  • The position in the list determines evaluation.
  • The Rule ID is only a reference and says nothing about the current order.
  • Rule groups help with overview, but they do not add separate match logic.
  • A general rule above can completely “swallow” a more specific rule below.

If a rule does not match, the position should therefore be checked first.

Sophos Firewall firewall rules with highlighted rule order
The position in the firewall rule list determines evaluation. The first matching rule wins, not the lowest Rule ID.

Reset the rule counter

When matches are unclear, resetting the rule counter helps.

  1. Open Rules and policies > Firewall rules.
  2. Find the affected rule.
  3. Open the three-dot menu.
  4. Select Reset data transfer count.
  5. Reproduce the traffic.
  6. Check whether the counter increases.
Sophos Firewall three-dot menu with Reset data transfer count
Reset data transfer count resets the rule counter. Afterwards it is easier to see whether the new test traffic really lands on this rule.

If the counter does not increase, the rule does not match. If it increases but the application still does not work, the issue is more likely related to Security Profiles, NAT, routing, return path or the target system.

Check matching fields

A firewall rule only matches when all relevant criteria fit.

FieldTypical mistakes
Source zonesWrong zone, VLAN is in another zone, VPN traffic comes from VPN
Source networks and devicesWrong object, wrong IP, incomplete host group
Destination zonesWrong destination zone, especially with DNAT or VPN
Destination networksPre-NAT and post-NAT view confused
ServicesMissing port, TCP/UDP mixed up, application uses additional ports
Users or groupsUser is not authenticated or wrong group
ScheduleSchedule does not currently apply
ExclusionsTraffic is excluded from the rule and processed further below
Sophos Firewall firewall rule with Source, Destination and services
A firewall rule only matches when Source zone, Source networks and devices, Destination zones, Destination networks, Services and Schedule all fit at the same time.

For web traffic, also check whether QUIC is active. If browser traffic uses UDP 443, some web filtering and scanning expectations behave differently than with classic HTTPS over TCP.

More details: Sophos Firewall and the QUIC protocol.

Read DNAT correctly

With DNAT, the view in firewall rules is especially important. As a rule of thumb:

Firewall rules for DNAT traffic use the destination zone after NAT, but the destination IP before NAT.

Example:

  • An external client connects to the WAN IP of the firewall.
  • NAT translates to an internal server in the DMZ.
  • The firewall rule uses the zone of the internal server as Destination zone, for example DMZ.
  • The Destination network remains the public IP or WAN object that the client contacted.

If this combination is wrong, the NAT rule may look correct, but the firewall rule still does not match.

More details: Publish a server via DNAT on Sophos Firewall.

Check NAT rules

NAT does not allow traffic. NAT only translates. A matching firewall rule is always required as well.

Under Rules and policies > NAT rules, check:

  • Is the matching NAT rule above more general NAT rules?
  • Is the rule enabled?
  • Do Original source, destination and service match?
  • Do Translated source, destination and service match?
  • Is MASQ or a fixed SNAT IP used?
  • Is there a Linked NAT Rule that matches unexpectedly?
  • Is there a generic SNAT rule matching before a more specific rule?

For simple environments, Sophos usually recommends standalone NAT rules instead of creating a Linked NAT Rule for each firewall rule.

More details: Understand NAT on Sophos Firewall: SNAT, DNAT, MASQ, PAT.

Check routing and SD-WAN

If the rule matches but the connection does not work, routing may be the problem.

Check:

  • Is there a matching default route?
  • Is there a static route?
  • Does an SD-WAN route apply?
  • Is the gateway active?
  • Are there return routes on the target system or in the remote network?
  • Is the return path symmetric?
  • Does traffic go through VPN, MPLS or another interface than expected?

Important: Policy tester does not fully represent SD-WAN routing. It is very helpful for firewall, SSL/TLS and web policy decisions, but it does not replace a real packet-flow test.

More details: Change routing priority on Sophos Firewall.

Enable logging

Without logs, troubleshooting becomes painful. Check two places:

  1. Log firewall traffic must be enabled in the firewall rule.
  2. Under System services > Log settings, the correct log type must be enabled locally, for Sophos Central or for syslog.

The Log viewer typically shows firewall sessions when the firewall ends a connection and receives a Destroy event. If an internet connection simply drops, not every session may appear as expected.

Open Log Viewer in the top-right corner of the WebAdmin console. Useful filters are:

  • Source IP
  • Destination IP
  • Port or service
  • Rule ID
  • Rule name
  • Action
  • User
  • NAT rule ID
Sophos Firewall Log Viewer with Firewall rule ID and NAT rule ID
Log Viewer shows which Firewall Rule ID and NAT Rule ID processed the traffic. This is often faster than searching only by rule name or IP address.

More details: Sophos Firewall services and log files explained.

Use Packet Capture

If Log Viewer and rule counters are not enough, use Diagnostics > Packet capture.

The key question is:

Sophos Firewall Packet Capture with BPF filter, NAT ID and Rule ID
Packet Capture shows whether packets arrive, which interface they use and which NAT ID or Rule ID is visible. The BPF filter keeps the output small and readable.
ObservationMeaning
No packet arrivesProblem is before the firewall: client, switch, VLAN, gateway, provider, Cloud Security Group
Packet comes in but does not go outCheck firewall rule, NAT, routing or security feature
Packet goes out but no reply comes backCheck return route, target system, NAT or external blocking
Packet is shown with ViolationPolicy or security feature blocks it
Packet shows NAT ID and Rule IDCompare rule and NAT hits precisely

More details: Use Packet Capture in WebAdmin.

Check security features individually

If the rule matches but the application does not work, a protection profile may interfere:

  • Web Policy
  • SSL/TLS inspection rule
  • Decryption Profile
  • IPS Policy
  • Application Control
  • Malware Scan
  • Zero-day protection
  • Security Heartbeat
  • Traffic Shaping

For tests, do not permanently disable everything across the board. It is better to check briefly and specifically, watch Log Viewer and then fix the root cause cleanly. For TLS Inspection, see Roll out TLS Inspection on Sophos Firewall step by step.

Common causes

SymptomLikely cause
Rule counter stays 0Rule position, Source zone, Destination zone or Service is wrong
Log shows another ruleMore general rule is above it
No log visibleLogging not enabled or traffic does not reach the firewall
DNS works, web does notCheck service, Web Policy, TLS Inspection or QUIC
HTTPS is not scannedNo matching SSL/TLS inspection rule or CA not distributed
DNAT does not workFirewall rule uses wrong Destination zone or wrong Destination network
VPN traffic does not matchCheck zone VPN, route, tunnel interface or XFRM context
Only some users affectedCheck User Matching, group, SSO, Captive Portal or Heartbeat

Practical process

  1. Note the issue with Source IP, destination, port, user and time.
  2. Check rule position.
  3. Reset rule counter.
  4. Reproduce the test.
  5. Filter Log Viewer by Source IP and Destination IP.
  6. Check NAT rule and routing.
  7. Start Packet Capture with a narrow filter.
  8. Check Security Profiles only specifically.
  9. Document the change.

For a combined test workflow, see Test firewall rules with Log Viewer, Policy Test and Packet Capture.

More information