New User Urgent Help With Zone To Zone Required Please

If you remove Match know users and Show captivity portal to unknow users under Identity. Does it work then?

//Rickard

Hi,

First of all, Uncheck "Match Known Users", unless you have an Authentication Server such as AD or created Clientless Users on XG there's no need to have it checked.

If you have Match Known Users enabled, the rule will only apply to authenticated users found by XG.

Second; Don't create Rules of LAN => LAN with "Any" as Sources or Destinations, I know that's how you create on pfsense (since you create rules based as the Interface as source), but not on XG.

Use the Correct Zone and Networks for the rules creations.

Here's an example:

Thanks,

Thanks so much for your replies!

I just got it working as I was (made sense at first to me) set my port 3 (Wireless) to WiFi and was trying to zone them together but it would not work so I changed the network zone to LAN on port 3 then zoned LAN to LAN instead of LAN to WiFi and now up & running! :-)

Your destination screenshots (WiFi LAN & Wired LAN) did you create those as ip ranges?

Thanks so much for your replies Prism RickardNordahl 

Just port forwarding to get working (cannot understand why it is not) but I will create a new post for that :-)

Just noticed though, even though my two LANS are now talking to each other, why would I be getting all this blocked traffic?

Did you have a proxy configured in the old firewall and that is setup on the clients?

//Rickard

Thank you, good point, I may have done, sorry for jumping, just amazing how much there is to setup after using pfsense for a couple of years.  Happy to say sophos is far friendlier to use, a couple of quirks but am getting my head around it slowly :-)

Glad to be of service. Good luck on you Sophos Endevors :)

//Rickard

Hi,

I thought I had resolved this but unfortunately I haven't, only a partial success.

I have 3 LAN interfaces 

DHCP is running for all 3 devices subnet ranges.

You can also see that the devices are in the lease table but I am unable to ping them 

yet even though in the screenshot above I cannot ping (anything) one example is 192.168.2.50 A Windows Backup Server that is connected, up & running & on the internet as well  I have also connected to it from 192.168.0.3 via local remote desktop and as you can see from this screenshot I am unable to ping the device that is remote controlling it either but I can ping the sophos gateway.

I have also created ip-range source & destination zones, so well covered there.

Any input greatly appreciated!

First, I would enable logging on the rule to see what is happening to the traffic. 

Then I would remove the Source and Dest networks and replace them with any since it looks like you have on subnet on the zones in question.

And the question of the day, is ICMP echo reply enabled on the server you are trying to ping in Windows Firewall?

//Rickard

Thank you so much for taking the time to reply!

First, I would enable logging on the rule to see what is happening to the traffic. 

I have enabled logging, but cannot even see any entries to the IP I am pinging in the log viewer?  when logging is enabled does it write to here?

Then I would remove the Source and Dest networks and replace them with any since it looks like you have on subnet on the zones in question.

I had that originally and was advised against it by Prism

Don't create Rules of LAN => LAN with "Any" as Sources or Destinations, I know that's how you create on pfsense (since you create rules based as the Interface as source), but not on XG.

And the question of the day, is ICMP echo reply enabled on the server you are trying to ping in Windows Firewall?

I can only presume it is as if I shut down my Sophos VM and go back to my old PfSense VM everything can see everything