Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block all connections except from *.google.com

Hello,

I created a DNAT rule and I am trying to block all incoming traffic unless it is coming from a *.google.com domain.  I have set up a FQDN host of *.google.com and added it to the "Allowed client networks" but it doesn't seem to be doing a reverse DNS lookup on the traffic.  For example, one of the IPs is 108.177.72.23 and when I do a DNS lookup on it in the diagnostics it correctly finds the address as "rate-limited-proxy-108-177-72-23.google.com" but the rule doesn't allow the traffic through.  Is this type of rule possible with Sophos XG?

DNAT Rule:

DNS Lookup:

Thanks.



This thread was automatically locked due to age.
Parents
  • Hi,

    what do you mean by block all incoming traffic? Your users should initiate the connection so the rule should only allow access to google.com in the destination which will not work correctly because google has a lot of domains that are like *.*google.com.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Ian,

    Thank you for the reply.  Maybe I'm doing this all wrong then.  My goal is to allow specific traffic from the WAN to connect to a computer inside my LAN.  I would like to restrict the access to the computer so only IPs owned by Google are allowed to connect.  I thought I could do this by creating a DNAT rule with the "Allowed client networks" of *.google.com.  Like this:

     

    Sophos XG does not seem to do a reverse DNS lookup for the IP that is trying to connect though.  The only way I can get the rule to work is by adding United States.  

    Hopefully that makes more sense of what I'm trying to do.

  • Hi,

    the rule should look a bit like this, you should select the *.google.com from the drop down list.

    Source WAN -> *.google.com -> destination LAN -> server IP -> any -> allow -> log -> MASQ.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Ian,

    I set up a rule as you described but I could not connect to my computer/server. I thought I needed a DNAT rule to allow traffic through?  The DNAT rule I have set up is successfully passing traffic through as long as I have "United States" added to the Allowed Client Networks.  I have tested and this rule will block traffic outside of the US so it seems to be partially working.  If I try to allow only *.google.com traffic by adding that to the Allowed Client Networks it will fail and the traffic I need to let through will not get through.  It's as if Sophos isn't doing a reverse DNS lookup.  I'm not at a point where I can post screenshots but I can do it later if needed (there are also some above that may help explain how my rule is configured).

    Thanks again for the help.

    Pete

Reply
  • Ian,

    I set up a rule as you described but I could not connect to my computer/server. I thought I needed a DNAT rule to allow traffic through?  The DNAT rule I have set up is successfully passing traffic through as long as I have "United States" added to the Allowed Client Networks.  I have tested and this rule will block traffic outside of the US so it seems to be partially working.  If I try to allow only *.google.com traffic by adding that to the Allowed Client Networks it will fail and the traffic I need to let through will not get through.  It's as if Sophos isn't doing a reverse DNS lookup.  I'm not at a point where I can post screenshots but I can do it later if needed (there are also some above that may help explain how my rule is configured).

    Thanks again for the help.

    Pete

Children
No Data