We'd love to hear about it! Click here to go to the product suggestion community
Please occasionally check the Changelog at the bottom of this post to see if there have been corrections/additions since you last were here.
Over the years, I've accumulated suggestions from dozens of folks here. I made notes in my personal Tips-n-Tricks list, but it was only in February of this year that I started making a list of the "Rules" we all had established here. I intend to continue to maintain this list, so if you see one that's inaccurate or imprecise, please post in this thread or send me a PM.
The Zeroeth Rule:
Start with a hostname that is a unique (not used for anything else) FQDN resolvable in public DNS to your public IP. If you didn't do that, use slickone27's trick to get CAs, certificates, hostname entries, etc. all aligned; it will save you hours and frustration.Rule #1:
Always check the logs! For example, when you disabled Intrusion Prevention, you only disabled Snort - you did not disable the items on the other tabs! (Many people are tripped up by UDP Flood Protection which is logged in the Intrusion Prevention log file. This is often the cause of bad voice-quality with VoIP and unreliable IPsec connections that don't terminate on the UTM.)
Whenever something seems strange, always check the Intrusion Prevention, Application Control and Firewall logs. If 'Advanced Threat Protection' on the Dashboard is not zero, check that log also. Hint: If this didn't help, you likely have a routing problem. In that case, check #3 through #5.Rule #2:
Do you wonder why traffic is allowed through even when you have an explicit firewall rule blocking it? In general, a packet arriving at an interface is handled only by one of the below, in order (see images at the bottom):
What happens with outbound traffic?
Before the packet leaves, ATP will block it if the destination is on a list of malicious IPs.
Never create a Host/Network definition bound to a specific interface. Always leave all definitions with 'Interface: <<Any>>'.
There are two known exceptions
Rule #3.1: Other solutions to routing problems (not seeing any blocks, but not getting responses) include:
When creating DNATs for traffic arriving from the internet, in "Going to:" always use the "(Address)" object created by WebAdmin when the interface or the Additional Address was defined. For any Traffic Selector to apply to packets with a destination of an IP on the UTM, the corresponding "(Address)" object must be used. Under the covers, it's iptables that does the work. Using "Any" or a normal Network/Host definition causes the Traffic Selector to apply to packets in the FORWARD chain. The "(Address)" objects are bound to the interface on which they're defined, so that causes the Selector to apply to the INPUT chain.
In NAT rules, it is a good habit to leave a field blank when not making a change. In the case of a service with a single destination port, this makes no difference. In the case of a service with multiple ports, or a Group, repeating the service makes the NAT rule ineffective.
There are only six reasons to sync users from AD to the ASG/UTM:
There's no other reason to sync users to WebAdmin - certainly not for AD-SSO.
If you have slow throughput and/or ifconfig shows errors, collisions, etc., try these steps, in sequence, until your problem goes away:
Before changing the hardware the UTM runs on, go to 'Interfaces & Routing >> Interfaces' and, on the 'Hardware' tab, edit each NIC to have a 'Virtual MAC Address' that copies the existing MAC. This will cause your new NICs to be recognized immediately after the configuration is restored. The alternative is to make certain that each router/switch connected to the various NICs has cleared its ARP table:
When a Web Filtering Filter Action changes based on Policies with Time Events, established connections like YouTube will continue to function and will not be blocked. Use Sheldon's Trick: create a firewall Block rule for a one-minute Time Event after your policy allowing traffic is deactivated by a Time Event and one blocking traffic then handles the requests.
Cheers - Bob
Changelog: 2019-04-17 Added the information about ATP to #2.1 after stu asked a question about it; 2019-01-02 Added exception for Uplink Balancing to #3 as suggested by Toni LuCar; 2018-12-30 Deleted reference to encryption/signing from Toni LuCar; #6 based on a comment from2018-12-28 Added #2.1 based on a question from member Davis Admin; 2018-01-03 Added a line to #3 based on a post by shaun threetwotwosix; 2017-12-27 apijnappels posted this suggestion for the * on #2.5; 2017-12-09 In #2, inserted #3 about ICMP; 2017-06-09 Replaced the flow diagram mentioned in #2 with a newer version and then put the old one back along with an older iptables version, too; 2017-05-30 In #2, - moved DNATs from #3 to #4 (after Intrusion Prevention) - I think that's right; 2017-05-20 Added the question at the top of #2 based on a suggestion from Louis-M; 2017-04-02 Reformatted #2 based on an idea from Louis-M; 2017-02-16 Changed #1 because people were ignoring notes and parenthetical remarks. Two people today ignored my notes and -omments, turned off IPS and thought they were following the rule!; 2017-01-25 added Intrusion Prevention to #2; 2017-01-16 added parenthetical remark in #3.1 based on a comment by new member Brendan Corcoran; 2016-12-08 added #9; 2016-12-03 added by a new member; iptables information to #4 because of a question asked by new member Len Goddard; 2016-10-22 added comments to the end of NOTE on #1 and updated #3 with the exception noted by vilic in March; 2016-10-18 added NOTE to #1; 2016-05-06 added the parenthetical remark about the Transparent-mode SMTP Proxy -to #2 thanks to a report by fellow member Matthew; 2015-10-05 added hint to #1; 2015-09-25 typo; 2015-08-13 Changed #7 to numbering instead of bullet points; 2015-07-10 Bart van Kampen's tests proved that AppCtrl comes after firewall rules, so -#2 was modified; 2015-06-19 Thanks to new member jleigh5, added second line to #6 about User Portal; 2015-06-14 "unique..." added to 0-eth rule; 2015-06-11 added details on Intel NICs based on a comment from William; 2015-06-07 changed the link in #0 to work with Macs; 2015-05-25 added the first reason in #6 about WebAdmin; 2015-04-10 added link to feature request in #6; 2015-03-15 clearer wording in Zeroeth; 2015-02-03 #8 thanks to BarryG and AppCtrl in #2 thanks to FrankBarmentlo; 2014-12-24 added Country Blocking in #2; 2014-09-10 added conntrack in #2; 2014-09-09 added Advanced Threat in #1; 2013-06-10 added BarryG's masq idea in 3.1; 2013-06-08 added fourth reason to #6
Wow, there's some heady stuff in here! Can't say I understand it all (almost none of it, really) but it sure is a valuable document to keep on hand.
Sophos/UTM is a science on its own - so much to learn. Not sure it's a very practical choice for someone not really familiar with it, as the documentation is pretty lousy. However, it seems as though you can avoid a lot of pitfalls by referring to this document...
Thanks for posting this.
Do you know the order between snat and masquerade?
Where do multipath rules happen?
In reply to Davis Admin:
Those are outbound packets, not inbound to an interface, so were not a part of #2.
SNAT takes precedence over Masquerading, so it must happen first, causing the packet to not qualify for the masquerading rule.
Multipath is applied before SNAT/Masq. Note that the UTM Proxies skip SNAT/Masq and assign a public IP as the source of packets each handles. Unlike with the other UTM Proxies, HTTP/S Proxy traffic can still be identified by Multipath rules as to its private, internal source-IP.
PS Thanks for the question! I've added #2.1 in the Rulz post and mentioned you in the Changelog.
In reply to BAlfson:
Maybe someday, but now it’s like you’re speaking a new language. Klingon?
In reply to Rob Pelletier1:
Just a simple approach.
With Multipath you decide, which Interface should be used.
With SNAT you decide, which IP should be used. Is there no SNAT, UTM will look for a MASQ Rule as "fallback".
In reply to LuCar Toni:
Gonna build one, play with it. Docs aren’t great, but lotsa guidance in these forums.
I refused to use Cisco because of how stupid complicated everything is, but this isn’t much better...
But, that’s me, not the product...
Maybe i can add some points to your Rulz :)
There are other points to cover for the "Interface". For example, if you have multipath rules, the uplink balancing will be monitored by the object, which uses this specific interface.
Email Protection is enabled and the user should receive Quarantine Reports and be able to manage personal black/whitelists and/or use Email Encryption/Signing. Email Encryption does not use AD Objects.
#3 was motivated by how WebAdmin creates iptables firewall rules for the INPUT, FORWARD and OUTPUT chains. Are you saying that the behavior of Uplink Balancing is changed when a Network object is bound to an interface?
In #6, the assumption is that the admin has Active Directory. In general, I recommend against using S/MIME Encryption for users that don't have access to the Quarantine Report and User Portal, but, rather than complicate #6, I think you're right that eliminating encryption/signing is clearer.
I mean this:
Note – If a selected host is bound to an interface, it will only be used to monitor this interface. If a host is not bound to an interface, it will be used to monitor all interfaces. Interfaces not covered by the selected hosts will be monitored by automatic monitoring.
Which is quite powerful for Uplink Balancing.
I see the subtlety now, Toni. Thanks!
If multipath happens before SNAT, does that mean SNAT rules are going to need a matching multipath rule?
outbound email SNAT to a secondary IP address on uplink 1. We don't want this traffic to go out on uplink 2. Thus I need a matching multipath rule, right? (Seems like a firewall should be "smart" enough to figure this out.)
Are there any special needs for DNAT? (My DNAT rules keep failing whenever I turn on uplink balancing, but not immediately.)
If you want outbound SMTP to only leave from uplink 1, bind the traffic to that interface and uncheck 'Skip rule on interface error' in 'Advanced'.
DNAT should not be affected by Uplink Balancing. You might want to open a thread on this issue in the Network Protection forum.
i've read the "RULZ" site from this community:
And have unfortunately more questios now than answers.
1. What is "Connection tracker" [conntrack] and where can i find the configuration and logs to this?
2. I'Ve ticked the "LOG ICMP redirects" under "ICMP" tab to see ICMP packets. But when i ping an interface on my sophos from another dhcp released ip from another net then i just don't see these packets in Packet Filter Log and i don't know why. My temporary rule includes "any" and "ping" so i should see it.
3. Then ...i don't get if a routing between two different networks is defined by a "packet filter" rule or by "static routing" and if one is choosen then what is the difference and which one has the higher priority?
4. I have an interface in an 192.168.0.0 network (192.168.0.1) and am not able to ping one device that gets it's ip address from my sophos from the sophos under Support\Tools. I also don't see any logs to this issue.
It's quite annoying as i was quite used to the Sophos in former configuration i've had.
In reply to Rumak18:
1. The connection tracker is what makes the UTM a stateful firewall. There are no logs, but you can use command line tools to check the current status of the connection tracking table. You also can use cc get packetfilter timeouts to see what parameters can be changed using cc set packetfilter timeouts.
2. I don't understand what you have configured. Logging ICMP redirects has nothing to do with pings and other ICMP traffic.
3. Routing and packet filter are two completely different things. In most cases in WebAdmin, if things are configured correctly, WebAdmin creates the necessary routes invisibly and automatically. Automatic firewall (packet filter) rules are also created by WebAdmin, either implicitly as in the various proxies or explicitly as in the selections possible in VPN and NAT definitions.
4. I guess the device doesn't have the default gateway set correctly (Rule #3.1) or that 'Ping from gateway' is not enabled (3 in Rule #2).
You should move 7.7 to before cables and stuff. But, THANK YOU!