Hi Community,
I am seeking your advice... I recently upgraded my hardware from an XG105 to and XG115 to address performance issues we were experiencing with MSFT Teams, WebEx, Nintendo Switch, etc.
Given both my wife and I are WFH now due to Covid, our issues have become more apparent.
I am not a network or security engineer, but know enough to navigate my way around the FW.
If I set up a persistent ping to and external address, say Google's DNS, and run a Team calls concurrently, I will notice the video and audio performance degrades and I see packet loss on the ping. I also filter the logs by my laptop IP, where I am running Teams from, and can see denied traffic. When I look at the addresses via a domain lookup (Centralops), most of the addresses are AWS, MSFT (direct) & Azure (Hosting), etc.
I have added exceptions into my rules but this doesnt seem to make a difference.
The last thing I want to do is create a whole bunch of bypass rules and compromise the effectiveness of the FW - whats the point of having it.
So, what is the best way to get support on this? I need some help in diagnosing the root cause (poor configuration, missing rules or policies, etc).
Hello Msaggers,
Thank you for contacting the Sophos Community.
Can you try the following:
1) Is DoS flood currently enabled? Please disable and see if that makes a difference.
2) If you SSH in to the XG and then press 5 > 4 and arrive to the console and type
console > set advanced-firewall udp-timeout-stream 150
3) Create a Firewall rule on top, with no scanning or filtering and setting the following subnets as the destination networks:
13.107.64.0/18, 52.112.0.0/14, and 52.120.0.0/14
4) You could try to prioritize the traffic using the Microsoft Teams Applications
Go to WebAdmin >> Applications >> Traffic shaping default >> Category name(Search) >> Search for microsoft teams >> Under conferencing please click manage >> Name: Microsoft TeamsTraffic shaping policy: Streaming Video - Guarantee Full HD Quality.
After that create firewall rule and enable traffic shaping for applicationWebAdmin -> Firewall -> Add firewall rule -> User/network rule (This would be the same Firewall rule used in step #3)
Rule Position: Top
Rule Group: None
Source Zones:LAN or what is the zone of the test PC
Source networks and devices: Test PC ip address
Destination Zones:WAN
Destination networks: 13.107.64.0/18, 52.112.0.0/14, and 52.120.0.0/14 or you can change to ANY since traffic will be prioritized based on the application
Services: AnyApplication control: Allow AllCheck apply application-based traffic policy
5) If that still fails, we would need to come back to step 1 and create some DoS exceptions for Microsoft by following this
https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams
Regards,
have made some of the changes.
With the new FW rules for those networks, as soon as I added them the Teams Chat stopped working and msg wouldnt send. I turned the rule off and started to work again.
I will check to see what happened in the logs
Hey Emmanuel, I have now added step 4 and things are looking good. I will test it with a few Teams calls tomorrow.
Cheers,
Matt