We'd love to hear about it! Click here to go to the product suggestion community
How is possible active traceroute in Sophos XG, in the last models exist one part on activate or desactivate this options but in the XG i don't see any check for this purposal.
My hosts are reachable from ping but when i launch traceroute always the last hop is sophos and i not view any hop after firewall.
Traceroute uses ICMP calls to find the hosts.
So basically your Client tries to reach every hop via ICMP. If the last station is XG, it seems like XG is blocking your ICMP requests. Do you have a firewall rule to allow this client to use ICMP ?
In reply to LuCar Toni:
I remember on v15 or v16 to have the same issue. Depending on the OS you are performing the tests from.
In my case, Mac OS, traceroute does not work even if I create an ICMP firewall rule at the top.
Here the tcpdump result:
19:20:37.858433 Port1, IN: IP 192.168.0.8.33641 > 188.8.131.52.33435: UDP, length 2419:20:37.858588 Port1, OUT: IP 192.168.0.1 > 192.168.0.8: ICMP time exceeded in-transit, length 60
19:20:37.865663 Port1, IN: IP 192.168.0.8.33641 > 184.108.40.206.33436: UDP, length 2419:20:37.865805 Port1, OUT: IP 192.168.0.1 > 192.168.0.8: ICMP time exceeded in-transit, length 6019:20:37.867118 Port1, IN: IP 192.168.0.8.33641 > 220.127.116.11.33437: UDP, length 2419:20:37.867249 Port1, OUT: IP 192.168.0.1 > 192.168.0.8: ICMP time exceeded in-transit, length 6019:20:37.868407 Port1, IN: IP 192.168.0.8.33641 > 18.104.22.168.33438: UDP, length 24
In reply to lferrara:
Tried it with Windows, works fine.
Could you please create a drppkt of those drops?
And which filter for tcpdump did you use?
Same here. I hit the XG and from then on *.
I run the same test on W10 out the same firewall rule and success.
Sent pcap via PM.
Let us know LuCar Toni
Hi, thanks for reply.
I create one rule permit Info_Address, Info_Request, Ping and IMCP, but ping works correctly and traceroute no. I try from Linux and MacOs computer but the result is the same.
I have a sensation that is a problem from a bgp process when the networks are published from Sophos, but not are connected directly.
I have to run new tests.
In reply to jfmartinez:
then answer appears to be traceroute -I sophos.com on MACs.
I would need the drop packet capture, not a Wireshark Dump.
the tcpdump comes from xg console.
In reply to rfcat_vk:
can you try from Linux box?
so no linux boxes these days other the Sophos firewall devices,
I mean drop packet capture, not tcpdump.
on CLI (advanced shell) simply use 'drppkt' on Console use drop-packet-capture.
I prefer advanced shell - You can set all filter via Grep (Piping | )
Try adding the following from internal to external
In reply to BLS:
Just tried and traceroute does not work.
The only way to allow traceroute is the -I option.
Have you tried creating the firewall rule to allow the UDP ports to egress?
TraceRoute works for me once this has been done.