Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall

Discussions Sophos XG SSL VPN, restrict access to target host by port

Sophos Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 3 replies
Subscribers 39 subscribers
Views 1520 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG SSL VPN, restrict access to target host by port

Malte Engelhardt over 3 years ago

Hello everybody

I have SSL VPN configured according to this manual ( Sophos Firewall: Configure SSL VPN remote access and Update the default CA (sophos.com) ). Further, I have configured firewall rules:

#1 allow VPN / External VPN users -> using Port 54322 -> To Hosts for external users

#2 disallow VPN / External VPN users -> using any port -> to any target

... other rules ...

However, I can still access any port on the target host! Is there any way to filter this kind of traffic?

Regards,

Malte Engelhardt

This thread was automatically locked due to age.

0 FormerMember over 3 years ago
Hi Malte Engelhardt,

Thank you for reaching out to the Community!

Would it possible for you to share screenshots of firewall rules? I'd also suggest you run a packet capture on they firewall to ensure SSL VPN traffic is allowed with the correct firewall rule.

Monitor traffic using Packet Capture Utility in the Sophos XG Firewall GUI

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Malte Engelhardt over 3 years ago in reply to FormerMember

Hi H_Patel,

unfortunately, there is nothing logged in the firewall log regarding the destination IP. I've added some screenshots.
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 3 years ago in reply to Malte Engelhardt

Hi Malte Engelhardt,

Thank you for providing screenshots. I'd request you to share the support access id from your firewall with me by sending a private message.

I'll double-check the allowed service definitions and update you with the next step.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel