Hi Community,
I am seeking your advice... I recently upgraded my hardware from an XG105 to and XG115 to address performance issues we were experiencing with MSFT Teams, WebEx, Nintendo Switch, etc.
Given both my wife and I are WFH now due to Covid, our issues have become more apparent.
I am not a network or security engineer, but know enough to navigate my way around the FW.
If I set up a persistent ping to and external address, say Google's DNS, and run a Team calls concurrently, I will notice the video and audio performance degrades and I see packet loss on the ping. I also filter the logs by my laptop IP, where I am running Teams from, and can see denied traffic. When I look at the addresses via a domain lookup (Centralops), most of the addresses are AWS, MSFT (direct) & Azure (Hosting), etc.
I have added exceptions into my rules but this doesnt seem to make a difference.
The last thing I want to do is create a whole bunch of bypass rules and compromise the effectiveness of the FW - whats the point of having it.
So, what is the best way to get support on this? I need some help in diagnosing the root cause (poor configuration, missing rules or policies, etc).
Hi,
what type of link are you using and what speeds?
Ian
Hi Ian,
I have Unlimited Telstra NBN HFC.
thank you for the screen shot.
Your single performance looks very much like my FTTC 50/20.
I don't think your issue is with the firewall rules but more with connection issues.
Please check the Network tab in the XG GUI to see what each interface is showing. You should be looking for auto-negotiation or full duplex and 1000mb/s.
Hello Msaggers,
Thank you for contacting the Sophos Community.
Can you try the following:
1) Is DoS flood currently enabled? Please disable and see if that makes a difference.
2) If you SSH in to the XG and then press 5 > 4 and arrive to the console and type
console > set advanced-firewall udp-timeout-stream 150
3) Create a Firewall rule on top, with no scanning or filtering and setting the following subnets as the destination networks:
13.107.64.0/18, 52.112.0.0/14, and 52.120.0.0/14
4) You could try to prioritize the traffic using the Microsoft Teams Applications
Go to WebAdmin >> Applications >> Traffic shaping default >> Category name(Search) >> Search for microsoft teams >> Under conferencing please click manage >> Name: Microsoft TeamsTraffic shaping policy: Streaming Video - Guarantee Full HD Quality.
After that create firewall rule and enable traffic shaping for applicationWebAdmin -> Firewall -> Add firewall rule -> User/network rule (This would be the same Firewall rule used in step #3)
Rule Position: Top
Rule Group: None
Source Zones:LAN or what is the zone of the test PC
Source networks and devices: Test PC ip address
Destination Zones:WAN
Destination networks: 13.107.64.0/18, 52.112.0.0/14, and 52.120.0.0/14 or you can change to ANY since traffic will be prioritized based on the application
Services: AnyApplication control: Allow AllCheck apply application-based traffic policy
5) If that still fails, we would need to come back to step 1 and create some DoS exceptions for Microsoft by following this
https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams
Regards,
what about internal network? Are you using an AP to connect?
Finally which version of XG are you running?
have made some of the changes.
With the new FW rules for those networks, as soon as I added them the Teams Chat stopped working and msg wouldnt send. I turned the rule off and started to work again.
I will check to see what happened in the logs
I am running an XG115W with two AP55s attached via a 1gb switch with SFOS 18.0.1 MR-1-Build396
this might seem like a dumb question, but why are you inning bridge mode?
it was default due to the way I connect my Telstra gateway. I tried to avoid it based on some previous posts I read.
Happy to rebuild in route mode...