BUG? Sophos Switch DoS Prevention blocks time synchronization of devices.

Hello Alan,

Thank you for contacting the Sophos Community.

Does the issue persist? Is the NTP a local NTP (Local devices reaching our to Windows Server on a different zone) or a Public NTP?

Regards,

No, the NTP are all public time servers. (ex.: time.windows.com, all public NIST time servers). The Sophos Firewall can contact time servers to update itself, but not any devices behind the switch.

I have verified it was the issue after several tests. Disabling the DoS Prevention on sophos switch. then allows time synchronization.

You can see from the screenshots, then time synchronization works with DoS disabled, then fails after turning DoS on.

Screenshot 1: DoS Disabled

Screenshot 2: DoS Enabled

No replies yet. Is this being looked into as the switch is blocking NTP? I assume it's blocking NTP as that is the network time protocol.

This is a very severe usability problem if devices cannot update their time on the network when DoS prevention is enabled.

I paid almost $500 for this switch, it is the stupidest purchase I ever made. I bought it when I had more devices and wanted to utilize inter-VLAN routing of my devices through the Sophos firewall, and the user GUI is much simpler than a Cisco switch.

But blocking NTP is simply not acceptable.

No replies yet. Is this being looked into as the switch is blocking NTP? I assume it's blocking NTP as that is the network time protocol.

This is a very severe usability problem if devices cannot update their time on the network when DoS prevention is enabled.

I paid almost $500 for this switch, it is the stupidest purchase I ever made. I bought it when I had more devices and wanted to utilize inter-VLAN routing of my devices through the Sophos firewall, and the user GUI is much simpler than a Cisco switch.

But blocking NTP is simply not acceptable.

We could reproduce this issue and looking into it. Stay tuned.

The situation is, NTP triggers a Blat attack. https://www.reddit.com/r/networking/comments/yq4zhn/dropping_packets_when_source_port_destination_port/ 

Blat attack basically means, Source and Destination Port is the same, which can be the case in NTP (123). 

You find other vendors, blocking this as well.

We will look into this situation, removing Blat attack means to reduce the DOS capabilities as well. 

Sophos Switch cannot be used as an NTP server even though it can itself be configured to connect to an external NTP server to synchronize the time. 

so to address the elephant in the room, how do businesses that have these sophos switches keep their clients' time synchronized when  DoS is enabled??

Will a local device acting as an NTP server still be blocked by the switch?

Like all other switches, which have the same settings: Likely they disable this feature. I found two other (big) Switch vendors with the same situation. I guess a lot of customers will not activate this. 

We have had problems when the DOS was enabled.  Just because it's there doesn't mean its good, and in this case it's a landmine for your network.  I would advise NEVER EVER enable DOS.  I would eliminate this option from Sophos switches. 

Sophos FW is equipped to handle DOS because logging is available.  Switch is mostly a L2 device and logging via Wireshark is very time consuming.