BUG? Sophos Switch DoS Prevention blocks time synchronization of devices.

Hello Alan,

Thank you for contacting the Sophos Community.

Does the issue persist? Is the NTP a local NTP (Local devices reaching our to Windows Server on a different zone) or a Public NTP?

Regards,

No, the NTP are all public time servers. (ex.: time.windows.com, all public NIST time servers). The Sophos Firewall can contact time servers to update itself, but not any devices behind the switch.

I have verified it was the issue after several tests. Disabling the DoS Prevention on sophos switch. then allows time synchronization.

You can see from the screenshots, then time synchronization works with DoS disabled, then fails after turning DoS on.

Screenshot 1: DoS Disabled

Screenshot 2: DoS Enabled

No, the NTP are all public time servers. (ex.: time.windows.com, all public NIST time servers). The Sophos Firewall can contact time servers to update itself, but not any devices behind the switch.

I have verified it was the issue after several tests. Disabling the DoS Prevention on sophos switch. then allows time synchronization.

You can see from the screenshots, then time synchronization works with DoS disabled, then fails after turning DoS on.

Screenshot 1: DoS Disabled

Screenshot 2: DoS Enabled

No replies yet. Is this being looked into as the switch is blocking NTP? I assume it's blocking NTP as that is the network time protocol.

This is a very severe usability problem if devices cannot update their time on the network when DoS prevention is enabled.

I paid almost $500 for this switch, it is the stupidest purchase I ever made. I bought it when I had more devices and wanted to utilize inter-VLAN routing of my devices through the Sophos firewall, and the user GUI is much simpler than a Cisco switch.

But blocking NTP is simply not acceptable.

We could reproduce this issue and looking into it. Stay tuned.

The situation is, NTP triggers a Blat attack. https://www.reddit.com/r/networking/comments/yq4zhn/dropping_packets_when_source_port_destination_port/ 

Blat attack basically means, Source and Destination Port is the same, which can be the case in NTP (123). 

You find other vendors, blocking this as well.

We will look into this situation, removing Blat attack means to reduce the DOS capabilities as well. 

Sophos Switch cannot be used as an NTP server even though it can itself be configured to connect to an external NTP server to synchronize the time.