Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 41 subscribers
  • Views 2884 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filter policy engine breaks website on ipv6 SFOS 17.5 MR9&10

Dion-Ben Hendriks

Hi,

 

I have a problem with the web filter policy engine when trying to connect to https://mijn.triathlonbond.nl/login over ipv6. My default firewall rule includes a web filter policy which allows all. 

 

 for logging purposes.

 

But when I try to connect to the above mentioned site over IPv6 the connection times-out. In the logging of the Sophos there is no indication of an error, nothing is being blocked, not on any of the log categories...(when is a unified logging view comming...?)

But when I change the firewall rule not the include the web filter, the website behaves normal...How to fix this, or is it, bug or limitation of XG? I Have this in both MR9 and MR10

BTW: the XG is running in bridge mode, without NAT. I Would have liked to be running in routed mode but the XG is apparently not able to request a IPv6 subnet delegation from my router. (OpenSense does!)

 

Dion



This thread was automatically locked due to age.
  • 0

     

    can you help this user?

    I am not using an IPv6 connection.

    Regards

  • 0 in reply to lferrara

    Hi Luk,

    unified logging a good question.

    I have tried the site and it fails security settings so I cannot access it for the moment.

    I will experiment further.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hi,

    I am not sure you can run IPv6 in bridge mode without a NAT, the default and only mode for IPv6 is NAT. Yes, there are many request to fix this issue, supposedly later this year.

    Also XG does not handle subnet delegation.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Further info, that site only returns an IP4 address.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    For me it resolves ipv6 to:

    mijn.triathlonbond.nl.

    TTL=299

    AAAA    2a01:7c8:aaae:18::1

    (not authoritative)

    Running Sophos XG SFOS 17.5.10 MR-10

    On VMWare ESXi 6.7.0 Update 3 (Build 15018017)

    On 4 CPUs x Intel(R) Celeron(R) CPU J1900 @ 1.99GHz with 8GB RAM, 120 GB SSD & 4x  intel I211AT NIC

  • 0 in reply to Dion-Ben Hendriks

    Hi,

    I can trace route to the site, but cannot connect to it. Fails safari and FF as invalid address. The following is part of the trace route and seems to have some invalid addresses as well as very long responses which could explain your failures.

    19  e1-a8.r2.ams0.transip.net  308.888 ms  310.665 ms  312.896 ms

    20  r2.f2.ams4.transip.net  311.594 ms  317.441 ms  313.973 ms

    21  f2.l1.ams4.transip.net  312.796 ms  319.728 ms  316.361 ms

    22  * *

        f2.l1.ams4.transip.net  3337.408 ms !A

    23  * * *

    24  *

        f2.l1.ams4.transip.net  3601.819 ms !A *

    25  f2.l1.ams4.transip.net  3646.906 ms !A * *

    26  *

        f2.l1.ams4.transip.net  3357.424 ms !A  3954.573 ms !A

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    But why does it the work when I disable the Web filter policy in the firewall rule?

    Running Sophos XG SFOS 17.5.10 MR-10

    On VMWare ESXi 6.7.0 Update 3 (Build 15018017)

    On 4 CPUs x Intel(R) Celeron(R) CPU J1900 @ 1.99GHz with 8GB RAM, 120 GB SSD & 4x  intel I211AT NIC

  • 0 in reply to Dion-Ben Hendriks

    Hi

    do you have decrypt and scanning enabled? Have you installed the CA on you PC. Please post the firewall rule.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Nope...

     

    details:

    Running Sophos XG SFOS 17.5.10 MR-10

    On VMWare ESXi 6.7.0 Update 3 (Build 15018017)

    On 4 CPUs x Intel(R) Celeron(R) CPU J1900 @ 1.99GHz with 8GB RAM, 120 GB SSD & 4x  intel I211AT NIC

  • 0 in reply to Dion-Ben Hendriks

    Hi Dion-Ben,

    a very simple answer you have not enabled MASQ (NAT) on your firewall rule. NAT is mandatory on XG IPv6 firewall rules.   

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML