Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 41 subscribers
  • Views 2883 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filter policy engine breaks website on ipv6 SFOS 17.5 MR9&10

Dion-Ben Hendriks

Hi,

 

I have a problem with the web filter policy engine when trying to connect to https://mijn.triathlonbond.nl/login over ipv6. My default firewall rule includes a web filter policy which allows all. 

 

 for logging purposes.

 

But when I try to connect to the above mentioned site over IPv6 the connection times-out. In the logging of the Sophos there is no indication of an error, nothing is being blocked, not on any of the log categories...(when is a unified logging view comming...?)

But when I change the firewall rule not the include the web filter, the website behaves normal...How to fix this, or is it, bug or limitation of XG? I Have this in both MR9 and MR10

BTW: the XG is running in bridge mode, without NAT. I Would have liked to be running in routed mode but the XG is apparently not able to request a IPv6 subnet delegation from my router. (OpenSense does!)

 

Dion



This thread was automatically locked due to age.
Parents
  • 0

    Google and youtube and several other sites are IPv6.  www.example.com is IPv6 and supports both HTTP and HTTPS.  If those sites work then I do not think he has a generic IPv6 problem such as NAT,.  Remembering of course that all the sites are dual-stack and fall back to IPv6 so you need to look at logs to confirm you are connecting with IPv6.

    If it is only this one website that is the problem I would focus my debugging on that site.  Basically if IPv6 works in general and this site fails in particular, I would blame the site and not the config.  It may not be an IPv6 problem at all.

     

    Just in case it is a silly error...  Are you sure that your IPv4 and your IPv6 firewall rules are in sync with each other.

  • 0 in reply to Michael Dunn

    For IPv4 i have no special firewall rule to allow this site without the webfilter, all IPv4 traffic passes the same webfilter as IPv6

     

    The site is accessable via IPv6 for it works when I pass it thru a rule without Webfilter, it break if it passes the webfilter. but only the IPv6 traffic, if I access the site through IPv4 with the same webfilter it works....so I really think it's the webfilter in IPv6 that breaks this site.....

    Running Sophos XG SFOS 17.5.10 MR-10

    On VMWare ESXi 6.7.0 Update 3 (Build 15018017)

    On 4 CPUs x Intel(R) Celeron(R) CPU J1900 @ 1.99GHz with 8GB RAM, 120 GB SSD & 4x  intel I211AT NIC

Reply
  • 0 in reply to Michael Dunn

    For IPv4 i have no special firewall rule to allow this site without the webfilter, all IPv4 traffic passes the same webfilter as IPv6

     

    The site is accessable via IPv6 for it works when I pass it thru a rule without Webfilter, it break if it passes the webfilter. but only the IPv6 traffic, if I access the site through IPv4 with the same webfilter it works....so I really think it's the webfilter in IPv6 that breaks this site.....

    Running Sophos XG SFOS 17.5.10 MR-10

    On VMWare ESXi 6.7.0 Update 3 (Build 15018017)

    On 4 CPUs x Intel(R) Celeron(R) CPU J1900 @ 1.99GHz with 8GB RAM, 120 GB SSD & 4x  intel I211AT NIC

Children
No Data
Unfiltered HTML