Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 40 subscribers
  • Views 3173 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot add Local ACL for RED Device Access / RED Port Using Self Signed Certificate

AllanD

Trying to clean up my PCI compliance scans and get this:

 

 

There was a discussion originally by  about it ( https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/91708/pci-scan-failing-due-to-red-port-3400 ) but the answer seems to be sorry, that's how it is.  

 

Does anyone have a better solution to hiding these extra port 3400's?  We have used the Local ACL to shield the User Portal and SSL VPN from all our external IP addresses except for the single one those services should be going to but it appears the RED service isn't considered a "Local Service" (which I think it should be.   - Shouldn't this be???).

 

Since its not a local service I can't easily create a  local ACL to block the extra IPs and would have to do it through the actual firewall.  But since the RED devices are deployed to users homes which can have changing IP addresses there is no reliable way to block this traffic.

 

The only other answer would be to allow us to use properly signed certificates but that also doesn't seem to be a possibility.

 

Any ideas?

 

(I did put in a suggestion for this at https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/36500494-red-service-port-3400-should-be-considered-a-loc because I can't think of a better way to do it)



This thread was automatically locked due to age.
  • 0

    There is already a KBA for this setup:

    https://community.sophos.com/kb/en-us/127451

     

     

    Btw. How would a ACL actively change this setup instead of using Firewall policies? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    There is already a KBA for this setup:

    https://community.sophos.com/kb/en-us/127451

    In that KBA: "The public IP addresses of the RED you have (at the site they are deployed in).".  They are on home networks with changing IP addresses so therefor this rule cannot be created.

     

    Btw. How would a ACL actively change this setup instead of using Firewall policies? 

     
     
    The Local ACL list allows you to select a service and block it from responding on a port within a zone.  For example I don't want my User Portal (Port 4443) responding on any external IP address except for a single one.  So I add all the other ports in to its rule except the one to this.  Its easy and effective:
     
     
     
     
     
  • 0 in reply to AllanD

    But you could simply archive this ACL with a blackhole dnat rule isnt it? 

    You have two WAN ports. A and B.

    You want only B to offer RED.

    So you setup a blackhole dnat rule, every RED Traffic going to Port A is redirected to a non existing internal IP. 

     

    It would have the same effect like a ACL. Correct me, if i am wrong, but this should be the same and would not be the solution to your DDNS issue. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    It would have the same effect like a ACL. Correct me, if i am wrong, but this should be the same and would not be the solution to your DDNS issue. 

    I'm going to try a reject rule at the top of my list for anything going to the IP's in question (there are 6 external IPs and it only should be connecting to 1) for the 3400 port and see what happens. I would still think it should be a local service like all the others.  Make more sense since it is a service running on the XG.

    EDIT:  A simple drop rule at the top of the list didn't work.

    Port scan on .98 (what we want open) for 3400 and 4443:

    PORT     STATE SERVICE
    3400/tcp open  unknown
    4443/tcp open  pharos
    Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds

    Port scan on .99 (what we want closed) for 3400 and 4443:

    Not shown: 1 filtered port
    PORT     STATE SERVICE
    3400/tcp open  unknown
    Nmap done: 1 IP address (1 host up) scanned in 3.07 seconds

    4443 is correctly blocked by the Local ACL while 3400 is still open even with a drop rule.  Does the XG offers up local services before the firewall rules are evaluated or did I miss something?

  • 0 in reply to AllanD

    Firewall Block wont work for this. (as far as i know).

    Maybe use ANY instead of WAN in Destination. 

    Otherwise you need a DNAT rule instead.

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Any doesn't work either because I need to specify which of the external IP's to allow/block.

    How would a DNAT rule work for this?  Can you explain or post a example?  Again I don't know where the RED devices are coming from but port 3400 is open on 6 external IP's and I only want it open on 1.

  • 0 in reply to AllanD

    This should be enough.

    Port2 is for example my unwanted interface. And None existing IP would be some IP, which i won´t use in my network. 

    Unfortunately you have to create one rule per Interface. 

    But you can hide them in one Network Group. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    So I set it up the same way:

     

     

    "Blackhole Server" is a IP on my network that isn't there.  Unfortunately it still finds 3400 open:

    Not shown: 1 filtered port
    PORT     STATE SERVICE
    3400/tcp open  unknown
    Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds

    Did I miss something?

Unfiltered HTML