Log all dropped traffic
Add a Drop all firewall rule to log dropped traffic without interrupting other services.
Sophos Firewall has a built-in Drop all firewall rule, with policy ID 0. This rule is always at the bottom of the firewall rules list. This rule doesn't log traffic, so you must create a new rule to log dropped traffic.
The following image shows the default Drop all rule.
To create a new Drop all rule, do as follows:
- Go to Rules and policies > Firewall rules. Select protocol IPv4 or IPv6 and select Add firewall rule. Select New firewall rule.
Specify the following settings:
Name Description Rule name Enter a name. Rule Position Specify the position of the rule in the rule table:
Action Drop: Drops traffic without notification. Currently, if you select Use web authentication for unknown users in the firewall rule, Sophos Firewall shows a block page rather than dropping web traffic silently. The behavior applies to traffic from all zones. Log firewall traffic Select to log all traffic that matches this rule. By default, logs are stored on Sophos Firewall. Source zones Select the zones from which traffic originates. Source networks and devices Select the source networks and devices or create new ones. Destination zones Select the destination zones in which the traffic terminates. Destination networks Select the destination networks or create new ones. Services Select the services or create a new service. Services are a combination of protocols and ports.
Always select the individual source and destination zone names, rather than selecting Any. When you select the zones, the internal services still work correctly.
The image below shows individual source and destination zones.