Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blackhole NAT + DROP firewall - Accept anyway?

Hi Community!

I've set up a blackhole DNAT (https://support.sophos.com/support/s/article/KB-000038943?language=en_US) and added a firewall rule:

I can see a lot of IP going to the dummy address and being blocked (on TCP443 it's rejected with 403 actually...but nvm) but I can see IP-s that are getting allowed like this:

Firewall messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="13"
fw_rule_id="14" --> Block rule
nat_rule_id="2" --> Blackhole DNAT
policy_type="1" user="" user_group="" web_policy_id="2" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id=""
ether_type="Unknown (0x0000)" --> Er, what?
 bridge_name="" bridge_display_name="" in_interface="PortB" in_display_interface="PortB" out_interface="" out_display_interface="" src_mac="XX:XX:XX:XX:XX:XX" dst_mac="YY:YY:YY:YY:YY:YY"
src_ip="X.X.X.X" --> Definitely on the "Blocked IP list"
src_country="XX" dst_ip="Y.Y.Y.Y" dst_country="YY" protocol="TCP" src_port="21878"
dst_port="443" --> Service is in the Blackhole DNAT services
packets_sent="47" packets_received="57" bytes_sent="2672" bytes_received="73780" src_trans_ip="" src_trans_port="0" dst_trans_ip=""
dst_trans_port="3128" --> Web proxy port??? What is this doing here?
src_zone_type="WAN" src_zone="WAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="2504901568" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

Any ideas? (SFVH (SFOS 18.0.3 MR-3))



This thread was automatically locked due to age.
Parents Reply
  • Hi Lucar,

    the answer seems a little strange from my point of view,

    1/. http/s have to hit the web proxy

    2/. smtp/s would have to hit the mail proxy

    3/. iMap/s and pop/s would have to hit the mail proxy

    4/. FTP would have to hit a proxy

    5/. what does the none proxied traffic hit to be blocked

    6/. what if none of the proxies are enabled eg using dpi

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data