Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
We'd love to hear about it! Click here to go to the product suggestion community
First I don't believe this is a VPN problem but making sure I cover all bases.
Recently our VPN users have start to see a problem when VPN in to our network. They are accessing files on a Linux server via a editor on their laptop that is VPN in. Some use notepad++ and other use notetab light to access the files. When they make either changes and save the file, the file on the Linux server either gets blanked out or corrupt that you can't open it any more.
So for testing I first tried modifying a test file on my desktop on the inside network (no VPN). Works like it should saving does not corrupt file and everything is good. I then VPN in from outside on a laptop using the same editor and file and the file gets corrupted. I tried MS notepad, notepad++ and notetab light - all cause the file on the Linux side to go bad.
My guess is the windows and or Linux side is causing the problem. Has anyone else seen something like this? I don't see how the VPN would be causing it but I'm no expert.
I can't pin point time frame but looks like this started to be a problem with in last two months.
Hi JohnAdamski Thank you for providing in-depth details of the issue.Are you facing this issue with all the VPN users?Which VPN are you using to connect and edit the file on the Linux server?
In reply to Keyur:
Most of the users that VPN do not need to edit files on the Linux server (our ERP). But a few of the ones that do have contacted me on this. So a small portion of all VPN users are affected, but it does seem all of the ones that edit files are having this problem.
We are using the Sophos VPN from the Sophos firewall. I'm not the main firewall admin, but am the main admin for the ERP and all Linux servers. that's why I got this question to resolve. :-)
I've taken a laptop and connected to inside with a local copy of editor and tried modifying file, works. Then connect laptop via VPN and bad things happen to file.
Again I don't think is VPN but from surface that is the only difference.
In reply to JohnAdamski:
Hi JohnAdamski I understand your concern, but if you could collect the details from Firewall admin, regarding VPN Connection type and firewall rules created to allow VPN traffic, we can have further idea to narrow down the issue. We do not have a history of such reported issue from the customers from the field, Information will help us to assist you better.
the network admin busy right now. so your stuck with me.
we are using ssl vpn on XG firewall ver. XG450 (SFOS 17.5.9 MR-9) in active-passive (we have 2 devices)
One firewall rule that allows vpn traffic in, allows any services, everything else on the setup looks default.
We will need to review the firewall rules to see if there is any protection put in place on that rule. It is possible that the AV scanner or IPS/ATP could be causing trouble with the file. However without knowing the rule configuration, it will be a best-guess answer.
You can try use another VPN either by using Sophos Connect Client or the L2TP setup.
In reply to KingChris:
the rule looks like this - changed things like network to show 10.xxx rather than our true values for security reasons. other than things like that is the rule configuration. to me looks mostly a default setup for a rule.
Rule name: vpn-xxxDescription: Rule group: None
Source Zones: VPN TYPE=VPN DeviceAccess=Ping/Ping6, HTTPS, Wireless Protection, User Portal, SNMPSource networks and devices: AnyDuring scheduled time: All the time
Destination zones: Lan Members=Port1, Port10, Port9, Port_Chan1, Port_Chan1.15 Type=LAN DeviceAccess=Ping/Ping6, HTTPS, SSH, DNS, Captive Portal, Radius SSO, Wireless Protection, SSL VPN, Web Proxy, User Portal, Client Authentication, SMTP Relay, SNMP, Chromebook SSOAcademic Members=Port2.79 Type=DMZ DeviceAccess=Ping/Ping6, DNS, SSL VPN, Web Proxy, User Portal, SMTP Relay, SNMP
Destinstiaon networks: 10.xxx/16, 10.yyy/16, 10.zzz/16Services: Any
Match know users - unchecked
Scan HTTP - uncheckedDecrypt & scan HTPS - uncheckedScan FTP for malware - unchecked
Intrustion prevention: generalpolicyTraffic shaping policy: NoneWeb Policy: NoneApply web-category-based traffic shaping policy - uncheckedApplication control: NoneApply applicatio-base traffic shaping policy - unchecked
Minimum source HB permitted: No restrictionMinimum destination HB permitted: No restriction
Rewrite source address - uncheckedprimary gateway: NoneDSCP marking: Select DSCP marking
Thanks for that information.
You do have IPS configured on the rule. You could try without IPS to see if that helps at all.
You can review this KB article that may help you rule out the firewall: https://community.sophos.com/kb/en-us/127189
Our network admin says we need IPS, but is willing to temporarily off for testing. will do that in next day or so. he was not hopeful that would be the cause.
Late Friday the Network Admin turned off IPS and I tested. I was able to modify the file and save it without corrupting the file. he turned IPS back on and said he would work with me later to figure out what is causing the problem when IPS is on.
will be a week or so as he on vacation now.
Glad you were able to narrow it down.
You may have to create a custom IPS policy using signatures that are pertinent to your environment. So if you are not running any linux servers, do not choose linux IPS patterns to use.
Please do keep us updated.
The network Admin has a few minutes to do some more testing this morning and he things the text editors are trying to do something over port 445 when saving the file. He ran out of time and did not get further. Said that port 445 sounds like it should be blocked.
So that's the latest.
Port 445 is the CIFS port, aka SMB/file sharing.
It is possible that IPS is blocking it due to running of older SMB version on your network. If you remove all IPS policies that state "SMB", then it should work.
Yes our ERP server still needs smb1, we been waiting for the provider to figure out how to run on suse 15. they missed two proposed release dates for the update.
I will pass this on to my network guy.
Network admin made ips rules for VPN to allow smb1, we tested again and still failing.
probably time to open trouble ticket with Sophos.
Thanks for the response. Then it must be something else inside the IPS rules you have.
Please DM your case number you get so that we can track it.