This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall dropping packets for standard applications

Hi Community,

I am seeking your advice... I recently upgraded my hardware from an XG105 to and XG115 to address performance issues we were experiencing with MSFT Teams, WebEx, Nintendo Switch, etc.

Given both my wife and I are WFH now due to Covid, our issues have become more apparent.

I am not a network or security engineer, but know enough to navigate my way around the FW. 

If I set up a persistent ping to and external address, say Google's DNS, and run a Team calls concurrently, I will notice the video and audio performance degrades and I see packet loss on the ping.  I also filter the logs by my laptop IP, where I am running Teams from, and can see denied traffic.  When I look at the addresses via a domain lookup (Centralops), most of the addresses are AWS, MSFT (direct) & Azure (Hosting), etc.

I have added exceptions into my rules but this doesnt seem to make a difference.

The last thing I want to do is create a whole bunch of bypass rules and compromise the effectiveness of the FW - whats the point of having it.

So, what is the best way to get support on this?  I need some help in diagnosing the root cause (poor configuration, missing rules or policies, etc).



This thread was automatically locked due to age.
  • Hi,

    what type of link are you using and what speeds?

     

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hi Ian,

    I have Unlimited Telstra NBN HFC.

  • Hi,

    thank you for the screen shot.

    Your single performance looks very much like my FTTC 50/20.

    I don't think your issue is with the firewall rules but more with connection issues.

    Please check the Network tab in the XG GUI to see what each interface is showing. You should be looking for auto-negotiation or full duplex and 1000mb/s.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hello Msaggers,

    Thank you for contacting the Sophos Community.

    Can you try the following:

    1) Is DoS flood currently enabled? Please disable and see if that makes a difference. 

    2) If you SSH in to the XG and then press 5 > 4 and arrive to the console and type

    console > set advanced-firewall udp-timeout-stream 150

    3) Create a Firewall rule on top, with no scanning or filtering and setting the following subnets as the destination networks:

    13.107.64.0/18, 52.112.0.0/14, and 52.120.0.0/14

    4) You could try to prioritize the traffic using the Microsoft Teams Applications

    Go to WebAdmin >> Applications >> Traffic shaping default >> Category name(Search) >> Search for microsoft teams >> Under conferencing please click manage >>
    Name: Microsoft Teams
    Traffic shaping policy: Streaming Video - Guarantee Full HD Quality.

    After that create firewall rule and enable traffic shaping for application
    WebAdmin -> Firewall -> Add firewall rule -> User/network rule (This would be the same Firewall rule used in step #3)

    Rule Position: Top

    Rule Group: None

    Source Zones:LAN or what is the zone of the test PC

    Source networks and devices: Test PC ip address

    Destination Zones:WAN

    Destination networks: 13.107.64.0/18, 52.112.0.0/14, and 52.120.0.0/14 or you can change to ANY since traffic will be prioritized based on the application

    Services: Any
    Application control: Allow All
    Check apply application-based traffic policy

     

    5) If that still fails, we would need to come back to step 1 and create some DoS exceptions for Microsoft  by following this

    https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Port2
    WAN

    Physical
    Connected
    1000 Mbps - Full Duplex
    Auto-negotiated
  • Hi,

    what about internal network? Are you using an AP to connect?

    Finally which version of XG are you running?

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • have made some of the changes.

    With the new FW rules for those networks, as soon as I added them the Teams Chat stopped working and msg wouldnt send.  I turned the rule off and started to work again.

    I will check to see what happened in the logs

  • I am running an XG115W with two AP55s attached via a 1gb switch with SFOS 18.0.1 MR-1-Build396

  • Hi,

    this might seem like a dumb question, but why are you inning bridge mode?

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • it was default due to the way I connect my Telstra gateway.  I tried to avoid it based on some previous posts I read.

    Happy to rebuild in route mode...