We'd love to hear about it! Click here to go to the product suggestion community
This is my first time publication on this community.First of all, sorry for my english.
We have a Sophos XG 210 with SFOS 17.1.4 MR-4 Firmware.
I've published some web sites through WAF firewall rule and look like everything is ok. I'm able to access the web site from WAN side and from LAN side, but on computers with the Sophos XG web proxy we are unable to acces web sites created on WAF.
The desktops that has Web Proxy are on branch offices, and all are abble to acces any site on Internet.
LAN DESKTOPS - 192.168.0.x GATEWAY:192.168.0.1
WEB PROXY: 192.168.0.1:3128
The web site are on the DMZ: 172.26.1.X
The sites are published through #PortE1:0...#PortE1:4
Does anybody know why and how to solve it?
I'm a little bit frustated, because I don't find the solution on the comunity.
if you do an nslookup or DNS check from the remote sites what address do you see for the WAF devices?
In reply to rfcat_vk:
Resolve the public IP (#PortE1:X)
In reply to JordiPa:
If you do a tracert to the site where does it go?
On branch office tracert points to nowhere, like any other internet web site, but on branch office I've WEB PROXY for HTTP Traffic,
We can browse any website, except those published by WAF in the Sophos XG.
I get a sophos page with the message: "Website not available. Reason for this message: We found the website's address but were unable to connect to the web server"
SOPHOS XG LAN: 192.168.0.X Gateway:192.168.0.1
SOPHOS XG DMZ: 172.26.1.X Gateway:172.26.1.1
BRANCH OFFICE LAN: 192.168.22.X Gateway:192.168.22.1
SOPHOS XG WEB PROXY: 192.168.0.1:3128
WEBSERVER1 on DMZ: 172.26.1.15
WEBSERVER1 is on #PortE1:4 - 184.108.40.206 (not the real ip)
WEBSERVER1 FQDN: webserver1.domain.com (not the real fqdn)
Sophos XG is resolving DNS on 220.127.116.11
LAN and BRANCH LAN is resolving DNS on internal DNS Server. The internal DNS Server points to the public ip of the web server fqdn.
Hey, you DO have a Business Application Rule added correct?
If you have assigned the interface Port E.4 or E.3, your main traffic is going through the default WAN interface address, i.e. Port E. You may so the traffic might be flowing between your WAN interfaces. Could you please configure a WAN to WAN rule with no NAT applied and check if that would resolve this issue?
In reply to DoubleQ:
Yes, I do.
In reply to Aditya Patel:
Thanks for the answer.
It didn't do the trick. I understant what u'r explainning but unnafortunatelly the WAN to WAN rule didn't solve it. I try to capture the packets when I attemp to browse to my DMZ sites but it's like it doesn't exist, I get no traffic or maybe I don't know what to look for.
In the WAN to WAN firewall rule, could you please apply NAT MASQ and check if that would work. Also, could you add an exception on one of your machines to bypass proxy for that public address and check if that made a difference.
I would advise to open a service request withsecure2.sophos.com/.../support.aspx Sophos Support to open a investigation to check your scenario.
Thanks for the response.
I've tried the WAN to WAN rule with and without MASQ and nothing.
The machines with web proxy enabled are on branch offices and the gateway doesn't point the sophos firewall, so if I bypass proxy I got a 404, it's the correct behaviour.
I've open a support case.