Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IP Spoof when configuring Active Directory authentication

Hello,

 

I've a Sophos XG Firewall on a VM in my homelab (lastest release available), configured in transparent mode, so his IP is on a bridge pair.

 

I'm trying to add Active Directory Authentication, but my firewall can't connect to my primary DC. I've checked the traffic with drop-packet-capture, and the firewall drop his own traffic because of "IP_SPOOF".

 

Apparently, my Sophos XG send his packet without providing his MAC address and he drop it.

 

I've tried to add a FW rule to accept traffic from my firewall network range to my DC and to add a exclusion with the MAC of the bridge pair but that obviously did'nt worked.

 

Can you help me with that issue?

 

Thank you,



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Thomas Delcampe,

    Can you share the logs and traffic detail for this IP spoofing? 

    Thanks,

     

  • Hi,

    Spoofing is already deactivated...

    Here is a log :

    2020-02-20 20:11:36 0119021 IP 10.10.1.253.51044 > 10.10.100.1.389 : proto TCP:
    R 3947871165:3947871165(0) checksum : 50647                                    
    0x0000:  4500 0028 f55f 4000 3f06 cc5e 0a0a 01fd  E..(._@.?..^....             
    0x0010:  0a0a 6401 c764 0185 eb4f bbbd 0000 0000  ..d..d...O......             
    0x0020:  5004 0000 c5d7 0000                      P.......                     
    Date=2020-02-20 Time=20:11:36 log_id=0119021 log_type=Firewall log_component=IP_
    Spoof log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=P
    ort2 out_dev= inzone_id=2 outzone_id=0 source_mac= dest_mac= l3_protocol=IP sour
    ce_ip=10.10.1.253 dest_ip=10.10.100.1 l4_protocol=TCP source_port=51044 dest_por
    t=389 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn
    _id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=
    0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id
    =0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmar
    k=0x8001 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 c
    tflags=0 connid=975732160 masterid=0 status=398 state=8 sent_pkts=N/A recv_pkts=
    N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=
    N/A tran_dst_port=N/A 

     

    Thank youn,

Reply
  • Hi,

    Spoofing is already deactivated...

    Here is a log :

    2020-02-20 20:11:36 0119021 IP 10.10.1.253.51044 > 10.10.100.1.389 : proto TCP:
    R 3947871165:3947871165(0) checksum : 50647                                    
    0x0000:  4500 0028 f55f 4000 3f06 cc5e 0a0a 01fd  E..(._@.?..^....             
    0x0010:  0a0a 6401 c764 0185 eb4f bbbd 0000 0000  ..d..d...O......             
    0x0020:  5004 0000 c5d7 0000                      P.......                     
    Date=2020-02-20 Time=20:11:36 log_id=0119021 log_type=Firewall log_component=IP_
    Spoof log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=P
    ort2 out_dev= inzone_id=2 outzone_id=0 source_mac= dest_mac= l3_protocol=IP sour
    ce_ip=10.10.1.253 dest_ip=10.10.100.1 l4_protocol=TCP source_port=51044 dest_por
    t=389 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn
    _id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=
    0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id
    =0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmar
    k=0x8001 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 c
    tflags=0 connid=975732160 masterid=0 status=398 state=8 sent_pkts=N/A recv_pkts=
    N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=
    N/A tran_dst_port=N/A 

     

    Thank youn,

Children
No Data