Skip to content
Avanet

Test Sophos Firewall rules with Log Viewer and Packet Capture

Sophos Firewall

A firewall rule should not just be saved; it should be tested deliberately. Especially with web filtering, TLS Inspection, NAT, IPS or User Matching, a rule can look correct in the WebAdmin console but still not behave as expected.

Three tools are useful for testing:

  • Log viewer for real events and rule decisions
  • Policy tester for web, firewall and SSL/TLS policy logic
  • Packet capture for the actual packet flow

Before testing

First, define exactly what should be tested:

ItemExample
Source IP172.16.10.25
Useruser@domain.local
Source zoneLAN
Destinationhttps://www.example.com
ServiceHTTPS
Expected ruleLAN_to_WAN_Clients
Expected actionallowed, blocked, decrypted, not decrypted

Then enable Log firewall traffic in the affected firewall rule. Without logging, the Log Viewer is only of limited use.

Sophos Firewall rule with Log firewall traffic enabled
The Log firewall traffic option should be enabled for rules that need to be tested or reviewed later.

Step 1: Check the rule position

Open Rules and policies > Firewall rules and check:

  • Is the rule above more general rules?
  • Is it enabled?
  • Is the correct IPv4 or IPv6 view selected?
  • Is it in a sensible Rule group?
  • Are there any Exclusions?
  • Is there an automatically created rule above it?

When testing a new rule, reset the rule’s Usage Counter. This makes it easier to see whether the rule was actually hit during the test.

Step 2: Open Log Viewer

Open the Log viewer in the top-right corner of the WebAdmin console.

Useful filters:

  • Module: Firewall
  • Source IP
  • Destination IP
  • Destination port
  • Rule ID
  • Rule name
  • Action
  • User

For web traffic, also check:

  • Web filter
  • SSL/TLS inspection
  • Application filter
  • IPS

The Log Viewer refreshes automatically. For a quieter analysis, pause the live view, apply filters and then resume it afterwards.

Step 3: Reproduce the test

Run the test from a defined client:

  • Open a website
  • Send a ping
  • Test a port
  • Start an application
  • Establish a VPN connection
  • Download a file

If possible, run only one test at a time. Otherwise, logs quickly become mixed.

Then check:

  • Does the rule counter increase?
  • Is there a log entry in Log Viewer?
  • Which Rule ID is shown?
  • Which NAT Rule ID is shown?
  • Is the traffic allowed or blocked?
  • Does a security feature apply?

Step 4: Use Policy tester

The Policy tester is helpful when checking which firewall rule, SSL/TLS inspection rule or Web Policy would theoretically apply to web traffic.

Menu path:

Diagnostics > Tools > Policy tester

Typical inputs:

  • URL
  • User
  • Time and day
  • Source IP
  • Source zone
  • Test method

For Test method, select Firewall, SSL/TLS, and web if the combination of firewall rule, SSL/TLS inspection rule and Web Policy should be checked.

Sophos Firewall Policy tester with accepted result
The Policy tester shows that the connection from the specified Source IP would be allowed by the matched firewall rule.

The Policy tester shows not only Accepted or Blocked, but also the matched firewall rule, the detected destination, the Source zone and, depending on the test method, additional web or SSL/TLS information. This quickly shows whether the traffic generally lands in the expected rule.

Sophos Firewall Policy tester with blocked Web Policy result
For web traffic, the Policy tester also shows the Web protection assessment, category and matched Web Policy.

Important:

⚠️ The Policy tester does not replace a real packet flow test. Sophos notes that Policy tester results don’t reflect SD-WAN routes. The actual behaviour can therefore differ when SD-WAN, routing or gateways are involved.

The Policy tester is especially useful for:

  • Web Policy
  • URL categorisation
  • User context
  • Schedule
  • SSL/TLS inspection rule
  • Firewall rule matching for web traffic

It is less useful for:

  • Real routing decisions
  • NAT return path
  • Packet loss
  • Provider or switch problems
  • Applications with multiple connections and ports

Step 5: Use Packet Capture

If Log Viewer and Policy tester are not enough, use Diagnostics > Packet capture.

Set a narrow filter, for example:

  • Source IP of the client
  • Destination IP of the server
  • Destination port
  • Protocol

Then:

  1. Start Packet Capture.
  2. Reproduce the test.
  3. Stop Packet Capture.
  4. Compare Incoming and Forwarded events.
  5. Compare Rule ID and NAT ID with Log Viewer.

Interpretation:

ObservationWhat to check?
No packet arrivesClient, VLAN, switch, gateway, provider, Cloud Security Group
Packet arrives but does not leaveFirewall rule, NAT, routing, security feature
Packet leaves but no reply returnsReturn route, destination system, NAT, external firewall
Packet has status ViolationPolicy, IPS, web filter, Application Control
NAT ID is unexpectedNAT order and generic NAT rules

More details: Use the Packet Capture tool in WebAdmin.

Step 6: Validate security features individually

If the correct rule matches but the traffic still does not work, check the enabled features.

FeatureWhat to check?
Web policyCategory, user, schedule, policy order
Scan HTTP and decrypted HTTPSHTTPS is only scanned if it has already been decrypted
SSL/TLS inspectionMatching rule, Decryption Profile, CA certificate on clients
IPSSignature, policy, false positive
Application ControlDetected application, category, cloud app detection
Security HeartbeatEndpoint sends heartbeat, status green/yellow/red
Traffic ShapingPolicy enabled, correct application or rule
NATCorrect SNAT/DNAT/PAT rule, order

For HTTPS, a firewall rule with web filtering is not enough to inspect HTTPS content. A matching SSL/TLS inspection rule with decryption and a distributed CA certificate is also required.

More details: Roll out TLS Inspection on Sophos Firewall step by step.

Step 7: Check log files

If the WebAdmin tools are not enough, check the relevant log files.

Typical files:

TopicLog file
Firewall rulefirewall_rule.log
NATnat_rule.log
Firewall connectionsfwlog.log
IPS and DPIips.log
Web Proxyawarrenhttp.log
IPsecstrongswan.log, charon.log
SSL VPNsslvpn.log
DNSdnsd.log, dnsgrabber.log
DHCPdhcpd.log

A detailed overview is available here: Sophos Firewall Troubleshooting: Services and Logs.

Example: Test a LAN to WAN web rule

  1. Create firewall rule LAN_to_WAN_Clients.
  2. Enable logging.
  3. Set Services to HTTP and HTTPS.
  4. Select Web Policy.
  5. Keep Block QUIC protocol enabled.
  6. Enable Scan HTTP and decrypted HTTPS.
  7. Create an SSL/TLS inspection rule for the test group.
  8. Install the CA certificate on the test client.
  9. Reset the rule counter.
  10. Open a website.
  11. Filter Log Viewer by Source IP.
  12. Run Policy tester for the same URL.
  13. Start Packet Capture if the result differs.

This shows whether the rule matches, whether HTTPS is actually decrypted and whether web filter, IPS or Application Control intervenes.

Further information