Cannot add Local ACL for RED Device Access / RED Port Using Self Signed Certificate

Trying to clean up my PCI compliance scans and get this:

 

 

There was a discussion originally by  about it ( https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/91708/pci-scan-failing-due-to-red-port-3400 ) but the answer seems to be sorry, that's how it is.  

 

Does anyone have a better solution to hiding these extra port 3400's?  We have used the Local ACL to shield the User Portal and SSL VPN from all our external IP addresses except for the single one those services should be going to but it appears the RED service isn't considered a "Local Service" (which I think it should be.   - Shouldn't this be???).

 

Since its not a local service I can't easily create a  local ACL to block the extra IPs and would have to do it through the actual firewall.  But since the RED devices are deployed to users homes which can have changing IP addresses there is no reliable way to block this traffic.

 

The only other answer would be to allow us to use properly signed certificates but that also doesn't seem to be a possibility.

 

Any ideas?

 

(I did put in a suggestion for this at https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/36500494-red-service-port-3400-should-be-considered-a-loc because I can't think of a better way to do it)

  • There is already a KBA for this setup:

    https://community.sophos.com/kb/en-us/127451

     

     

    Btw. How would a ACL actively change this setup instead of using Firewall policies? 

  • In reply to LuCar Toni:

    LuCar Toni

    There is already a KBA for this setup:

    https://community.sophos.com/kb/en-us/127451

    In that KBA: "The public IP addresses of the RED you have (at the site they are deployed in).".  They are on home networks with changing IP addresses so therefor this rule cannot be created.

     

    LuCar Toni

    Btw. How would a ACL actively change this setup instead of using Firewall policies? 

     

     
    The Local ACL list allows you to select a service and block it from responding on a port within a zone.  For example I don't want my User Portal (Port 4443) responding on any external IP address except for a single one.  So I add all the other ports in to its rule except the one to this.  Its easy and effective:
     
     
     
     
     
  • In reply to AllanD:

    But you could simply archive this ACL with a blackhole dnat rule isnt it? 

    You have two WAN ports. A and B.

    You want only B to offer RED.

    So you setup a blackhole dnat rule, every RED Traffic going to Port A is redirected to a non existing internal IP. 

     

    It would have the same effect like a ACL. Correct me, if i am wrong, but this should be the same and would not be the solution to your DDNS issue. 

  • In reply to LuCar Toni:

    LuCar Toni

    It would have the same effect like a ACL. Correct me, if i am wrong, but this should be the same and would not be the solution to your DDNS issue. 

    I'm going to try a reject rule at the top of my list for anything going to the IP's in question (there are 6 external IPs and it only should be connecting to 1) for the 3400 port and see what happens. I would still think it should be a local service like all the others.  Make more sense since it is a service running on the XG.

    EDIT:  A simple drop rule at the top of the list didn't work.

    Port scan on .98 (what we want open) for 3400 and 4443:

    PORT     STATE SERVICE
    3400/tcp open  unknown
    4443/tcp open  pharos
    Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds

    Port scan on .99 (what we want closed) for 3400 and 4443:

    Not shown: 1 filtered port
    PORT     STATE SERVICE
    3400/tcp open  unknown
    Nmap done: 1 IP address (1 host up) scanned in 3.07 seconds

    4443 is correctly blocked by the Local ACL while 3400 is still open even with a drop rule.  Does the XG offers up local services before the firewall rules are evaluated or did I miss something?

  • In reply to AllanD:

    Firewall Block wont work for this. (as far as i know).

    Maybe use ANY instead of WAN in Destination. 

    Otherwise you need a DNAT rule instead.

  • In reply to LuCar Toni:

    Any doesn't work either because I need to specify which of the external IP's to allow/block.

    How would a DNAT rule work for this?  Can you explain or post a example?  Again I don't know where the RED devices are coming from but port 3400 is open on 6 external IP's and I only want it open on 1.

  • In reply to AllanD:

    This should be enough.

    Port2 is for example my unwanted interface. And None existing IP would be some IP, which i won´t use in my network. 

    Unfortunately you have to create one rule per Interface. 

    But you can hide them in one Network Group. 

  • In reply to LuCar Toni:

    So I set it up the same way:

     

     

    "Blackhole Server" is a IP on my network that isn't there.  Unfortunately it still finds 3400 open:

    Not shown: 1 filtered port
    PORT     STATE SERVICE
    3400/tcp open  unknown
    Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds

    Did I miss something?