Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I am trying to get a better understanding of the differences between the 2. I am using UTM 9 on SG125
I have multiple IPSEC sites (Grouped as VPN-0-All Branches) all connecting to Head Office (VPN-Z-LAN).
So I do not enable automatic firewall rules but set to manual rules as follows Key being 1&2 (Allow between Branch & HO Any + HO & Branch Any)
My application (using single port for connection) connects fine under above but I cannot access anything else such as web access to remote router or remote desktop via IP address
If I enable rule 4 (Web Surfing) I can access remote router but still cannot remote desktop to a machine at branch using IP address i.e.
However if I let UTM create an auto rule all works fine (even if I have all others disabled) e.g. In this example have allowed creation of auto firewall rule between Branch B and Z Any
In this case all works fine. So what's the difference?
Is it the case the in manually created rule "Any" is not the same thing as "Any" on the auto created rule or something else?
Any insight would be appreciated
please check your "all branches" group-object and the member objects.
- is VPN-B1-LAN member of VPN-0-All Branches? (if you don't use the exact same objects, please double check IP definition for typos)
- is there an "Interface" Configured in the Hosts / Network-Objects Advanced section?
if the above is given there shouldn't be any difference betwen automatic and your rules.
Enabling rule 4 allows Webmanagement of the router (maybe the better destination would be "internet v4 / internet v6" which refers to "any destination reacheable via an interface which has a default gateway") if you intended to allow Internet-Websurfing not ANY Websurfing ;)
I have not stared at your examples long enough to understand your configuration, but I do understand the theory, which is enough to answer your question:
You said that with Automatic Rules off, your traffic is being blocked. This means that your manual rules are not allowing all of the traffic that you want, or that the rule is in the wrong position, so a BLOCK rule is being applied before a desired ALLOW rule can be detected. Rules are processed from low number to high.
In reply to lna:
Thank you for your quick reply
Yes it is - To double check I also tried using VPN-B1-LAN with same results.
In a nutshell and I have tried the following simple setup:
VPN-B1-LAN ---Any----> VPN-Z-LAN /Allow (Manual Rule)VPN-B1-LAN <---Any---- VPN-Z-LAN /Allow (Manual Rule)Any ----Any----> Any /Drop
Allows my application to communicate but not other applications like web access to remote router / remote desktop
VPN-B1-LAN ---Any----> VPN-Z-LAN /Allow (Automatically Created Rule)VPN-B1-LAN <---Any---- VPN-Z-LAN /Allow (Automatically Created Rule)Any ----Any----> Any /Drop
This works fine for everything including my application / web access to remote router / remote desktop etc...
I cannot see any difference between the two the manual rule and the automatic rule.I change nothing else in the system but when I delete the manual rules and select to create automatic rules, it creates the above two and all works well.
>> is there an "Interface" Configured in the Hosts / Network-Objects Advanced section?
Am a little confused here - Where should I be looking for this?I have two interfaces Internal / External
VPN-B1-LAN is bound to ExternalVPN-Z-Lan is bound to Internal
>>Enabling rule 4 allows Webmanagement of the router (maybe the better destination would be "internet v4 / internet v6" which refers to "any destination reacheable via an interface ??>>which has a default gateway") if you intended to allow Internet-Websurfing not ANY Websurfing ;)
I do not need any "internet" access on this network - it simply exists for point to point communication between Head Office and Branches with IPSEC VPN.
The required traffic between the VPN is only a few ports for our applications + remote desktop and access to the remote site routers for management purposes.
The automatic rules work fine but allow all traffic between a Branch and Head Office - I was looking to set to manual and once I had better understood the finer points, restrict traffic to only those ports needed.
In reply to snooty:
Do you get any insight from doing #1 in Rulz? Look at #2 to get a better understanding of priorities in traffic handling.
Cheers - Bob
In reply to BAlfson:
Thank you as always for your insight - The Rulz link was very helpful.
I can spot the issue but not sure why it is happening :)
So my rules are basically as follows (All manual)
#1 Branch ---Any---->HeadOffice /Allow
#2 HeadOffice --- Any--->Branch / Allow
#3 Any ---Any--> /Drop
So my first rule of Branch ---Any---->HeadOffice /Allow (Manual) works fine from Branch Side can access all as required
My #2 rule is the one causing an issue From HeadOffice side a machine cannot access a service at branch e.g access router / ping a remote machine / router
If I change the rule #2 to #2 HeadOffice --- Any--->Any / Allow
All starts to work fine.
In terms of network definitions HeadOffice would be 192.168.150.0/24 Branch would be 192.168.187.0/24
Rule #1 works fine - Branch can access all services at Head Office
Rule #2 does not work as HeadOffice --- Any--->Branch / Allow but does work as as HeadOfficeOffice --- Any--->Any / Allow
But the thing that freaks me out is when it creates the same thing via auto rules it works fine
i.e. auto rules create exactly the same as my #1 #2 and work fine.
So I am wondering if auto configured rules also do something else?
Could it be that your branch network definition is bound to an interface (see Rule 3 from Rulz)?
You will want to delete your 'Any -> Any -> Any : Drop' rule. Even if you log those drops, there's less information in the log that there is with a default drop.
Thank you so much for your guidance and reference to the rulz - I understand a lot better now (Bob: the log file started to make more sense when I disabled the Any-Any-Any:Drop rule)!
Now I better understand what is happening and as apijnappels pointed out the issue is Rule 3 from Rulz
Now to the hard part of understanding the logic!
I had previously marked the branch networks as bound to External Interface and Head Office network as bound to Internal Interface so my Firewall was actually like this when I manually created the firewall rules:
#1 Branch (Bound2ExternalInterface) ---> Any --> HeadOffice (Bound2InternalInterface) / Allow
# 2 HeadOffice (Bound2InternalInterface) -->Any -->Branch (Bound2ExternalInterface) / Allow
#3 Any-->Any-->Any /Deny
In the above scenario - Branch can access HeadOffice services in full ; However HeadOffice cannot access Branch services
So if I try to access branch router from Head Office I get "Default DROP TCP 192.168.150.39:51022 → 192.168.190.254 :80" [.150 being Head Office .190 being Branch]
As soon as change Branch as (Interface Any) -- HeadOffice can fully access Branch services so changing to the following works:
#1 Branch (Interface Any) ---> Any --> HeadOffice (Bound2InternalInterface) / Allow
#2 HeadOffice (Bound2InternalInterface) -->Any -->Branch (Interface Any) / Allow
What confused me (and led me round the garden path) is that when I do use the same thing via automatic firewall rules I did not encounter any issues
So when automatic rules showed #1 Branch ---> Any --> HeadOffice / Allow + # 2 HeadOffice -->Any -->Branch / Allow
Branch was still Bound2ExternalInterface & HeadOffice was still Bound2InternalInterface
I can only assume that for automatic firewall rules it ignores any such binding regardless of what has been set - Am I correct in this line of thought?
So as a final understanding my manual rules should be:
#1 Branch (Interface Any) ---> Any --> HeadOffice (Interface Any) / Allow
#2 HeadOffice (Interface Any) -->Any -->Branch (Interface Any) / Allow
Is this correct i.e As per rule #3 network definitions should never be bound to an interface?
Taking note of your comment Bob with regard to #3
Should this rule remain? (assuming I want no traffic other than between HeadOffice and Branch)
I had alway thought it good practice to set last rule as deny all else (even though I assume this is implicit).
Thank you for all very much your help.
Not sure why the auto fw rules did work, but do know that binding to an interface can give a lot of headache and unforeseen trouble (as you have noticed too).
In UTM all traffic that isn't allowed is automatically blocked, adding a block rule at the end is only usefull if you don't want to log this traffic (you can then disable logging on this rule). However I find this traffic quite informational from time to time, but I did for example put a block rule at the top of my rules where I block telnet and ssh access from the internet and don't log it, otherwise I see too much of these block rules in the log.
Your final understanding about all definitions being interface any is correct.
One thing that I have found which is a plus for "automatic fw rules" is that those rules are only active when the underlying (either DNAT or VPN) is also active. If you deactivate those, the auto fw rules are also automatically deactivated. However in site-to-site VPN an auto fw rule will allow any traffic from A to B and vice versa where in manual rules you can be much more granular and only allow services that need to be allowed.
Interesting, I don't know why the behavior was different with automatic rules.
The underlying firewall engine is iptables. Iptables considers traffic to be in INPUT, FORWARD and OUTPUT chains. Using a Network/Host definition bound to an interface causes WebAdmin to create an iptables firewall rule for the INPUT or OUTPUT chain, instead of the FORWARD chain which is what you wanted.
A firewall will block everything not explicitly allowed, so #3 does nothing for you other than limit the information in the Firewall log file. Look again at #2 in Rulz and you will be reminded that WebAdmin creates many (invisible except at the command line) Allow rules when things like Web Filtering are configured.
In reply to apijnappels:
I can only assume auto fw rules ignore the interface bindings - From my tests this seems to be the case.
I simply did not understand the implications of binding to an interface - Not sure why but it just seemed like common sense to me!
I had always used auto fw rules but as as my traffic is all site to site vpn with very limited services required - it would make sense to move to manual rules and restrict to only those service.
However I will keep you comment in mind regarding auto rules for non site to site vpn should I require them.
Thank you for your help. Life makes sense again!
I have done some initial reading and now understand the implications if Input/Output vs Forward a lot better.
From what I can see there is certainly a difference with automatic rules and they ignore interface bindings to create proper forward rules.
I take your point on #3 (although I suspect it will be a hard habit to break!) - I will look at the Rulz guide in more detail.
Thank you as always for your guidance, much appreciated.