Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Find / Prove ISP blocking port access

Hey Guys,

I am trying to work out why I am unable to access the web interface of some customers Sophos Firewalls. This has only begun to occur recently. I believe it is an ISP Proxy / block issue, but I cant find a way to prove this to the relevant ISP's.

I have access to a number of Sophos XG firewalls, all running 17.x firmware. From my office networks (multiple computers) I am not able to access the web interface of 3 firewalls. I am using their IP Address. All 3 of these are using the same ISP. This ISP is not the one I use.

I can Ping the units. I can SSH to the units (When I enable these in the Device Access) but I cannot access the HTTPS page.

Other Sophos units connected with other ISP's I can access without issue.

2 of the 3 units I can't access have a secondary WAN connection (one is 4g, the other is ADSL) I can access the web interface on those specific IP address.

If I change my ISP connection to my portable 4G unit (Connected to another port on my Sophos XG running V18) I can connect fine.

If I run up a VPN from my office machine I can connect fine.

From one of the 3 units, if I teamviewer to a machine on their network, I can access the web interface of the other machines on that ISP, plus the web interface of my office Sophos unit.

 

I am looking for tools I can setup and use which will point to where the issue lies. Is there a way I can Telnet to the web port and get a page dump which will tell me if there is a transparent proxy? Was easy to do with HTTP requests, I dont know how to do it with HTTPS ones.

Is there a utility which will do an open on every device between my link and the other firewall so I can determine which intermediate device is blocking the request.

 



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Gavin,

    seems a little odd that they would prefer having the XG advertise itself to the internet rather than a tunnel initiated within the XG, but every company to its own IT security policy?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello

    HTTPS on this site is not enabled by default. On others it is.

    While I do see connection attempts logged in the firewall, nobody has gotten into one as yet

    On this site I VPN in, but there are some changes where I decide I need a reboot, so I open the web port, do my work then turn it off.

     

    Regards,

    Gavin Daniels. DipIT(Networking)