Security of XBox One placed in unfiltered traffic zone

I finally got my Sophos UTM Home machine up and running, and so I have several refinement questions I'm struggling with.  To help others who may have the same issues, I'm posting them separately rather than all together.

This is a security question regarding XBox One, which I had major issues with.  Initially I established all the ports necessary for XBox Live as Services, then made two Firewall Rules saying "Allow any IP using XBox Live services through to the XBox", and vice versa.  But then, while I had internet access, my traffic slowed to a crawl and I couldn't get multiplayer working.  I also had to set up a web filtering exception rule which said, "Bypass all security checks for traffic going to and from the XBox" (I finally assumed that's what people on this forum meant when saying store it as an exception or place the XBox in a DMZ, because I couldn't find a literal DMZ tab/setting).  My NAT type still reads as moderate -- and despite XBox saying that multiplayer is available, I still can't play online -- so next I'm going to look in the DNAT tab and try to figure out if I need entries there.

Am I heading in the right direction?  More importantly:  is bypassing these checks for XBox traffic advisable and/or a good practice?  Is it possible for rogue traffic to get through and use the XBox as some sort of bot?  I'm even wondering if I can further restrict the traffic definition on the firewall to a specific DNS host Microsoft uses for XBox Live, but I'm guessing there are several...I'll have to try and look them up to see.

I'd appreciate your feedback!  If you have an alternative solution, please let me know specifically which tab/option you are using, because in researching various solutions in these forums, I sometimes don't know where in Sophos to go in order to execute a specific solution someone has mentioned!

  • Hi B.H,

    First, the UTM is a stateful firewall and it doesn't require a vice-versa rule. Just a simple LAN-WAN rule will be enough and rest will be managed by the connection tracking module. So the firewall rule should be defined like, LAN(XBOX IP) > ANY > WAN. Reason to define ANY services is that to avoid drops if the XBOX console decides to communicate on a random port.

    DNAT is used to host internal server over the internet, I really think you don't want to do that. Finally, the bandwidth problem could be associated with IPS and the AV scanning. Try exception for XBOX for the IPS. Refer, Sophos UTM: How to configure the Intrusion Prevention System (IPS).

    Thank you,