We have a Doorbird-doorbell behind our Sophos XG Firewall with Firmware....
I also read these articles:
The article says using SSL/TLS-Decryption this is the solution but I tried it and it doesn't work, too: https://community.sophos.com/sophos-xg-firewall/f/discussions/124615/how-to-unblock-ring-doorbell-app-when-sophos-xg-is-using-ssl-tls-decryption
So here is another article with the same problem and also no solution:
I posted the details in the article above but I am afraid nobody see it in the discussion. So I open this new question.
Here is my summary:
Have the same rule as described here https://community.sophos.com/sophos-xg-firewall/f/discussions/128958/doorbird-connected-to-sophos-xg-with-no-external-access/473281?focus=true#473279:
Additional I added an SSL/TLS Inspection-Rule as described here https://community.sophos.com/sophos-xg-firewall/f/discussions/124615/how-to-unblock-ring-doorbell-app-when-sophos-xg-is-using-ssl-tls-decryption:
But I see a lot of errors in the log:
And I also see this in capturing mode - the Local-ACL-violation is strange. Tried this Question to help but I don`t understand a solution:
This is the detail-view:
So I don't know what to do. I changed the doorbird hardware but with the new part it's still the same problem. So I think it's an FW-Error.
Please - is there anyone with a solution?
I couldn't find it in the other questions. A lot of people describe the same problem but nobody has an answer.
If so, the firewall will actually ignore the packets.
So lets recap quickly on what is going on:
The device is doing a broadcast, its like screaming in a room, hoping somebody is answering.
If you have…
It uses Broadcast to "find something". Sophos Firewall (like many other products) will not forward this to anything. Therefore this product currently looking in the same network (broadcast domain) something, which respond to its call. But nothing will actually respond as it is simply a call to everybody.
Plenty of IoT hardware is badly written like this (it seems like?).
You should be able to instead point to a single IP. This broadcast will not lead to anything.
Wondering how this hardware works: Because it expect something to answer on those calls. Do you need a wireless device with a certain App to be enabled in the same network?
Thats most likely how IoT Devices work nowadays because this will work for 99% of the home customers. They have one wireless of there ISP and it "simply works and connect".
But with Sophos Firewall you can actually segment the networks, leading to stop working such hardware.
am not sure how to match your answer to my problem. Yes, I want to use both devices in the same network.
If you have multiple network segments, its like having multiple rooms in a house. Your device only screams in the living room, your application is in another room.
Most products cannot "forward" this scream, as this is highly untwanted by a network administrator. There are reasons not to forward this. And the firewall does not know, in which room in has to forward this etc.
What you can do: You could increase the room size by building a network bridge. This means, it will increase the subnet of the network to a bigger size network.
Can you link us a screenshot of your interfaces? Where is the application / mobile device?
PS: This packets will not reach the Internet in any way. You cannot configure that. So it seems like you have to configure the device with a mobile app first.
The documentation from doorbird is here: https://www.doorbird.com/downloads/misc/ports_en.pdf
The doorbird is in my local net, the same net like the android-device. But also when I try to connect with the android-device from the internet I get no streaming video from the doorbird. So I don't think it's only a broadcast-problem. I get no video but I receive the notifcations from the doorbell (ringing, motion) as notification on android.
So I think the main problem is that the doorbell doesn't reach its internet gateway correctly. And the ACL-violation in the sophos log is an indicator for an error.
But what can I do now in the sophos?
This is highly not an issue with the firewall. The packets you are seeing are broadcast and not internet traffic. If those packets are the only packets you are seeing, it looks like the app is broken.
You could try to create a firewall rule for this services and the FQDN like you mentioned in the app.
See my screenshots at the top of thebsite and the Sophos error messages (ACL violation).
No idea what I can change. Would be nice you give me a detailled advice which of my rulesbis not correct. Only to say "it is not the sophos" cant be the solution. See the errors in the log.
The firewall rule seems to be perfectly fine.
The ACLs, as mentioned earlier, are only broadcast packets. Therefore not the packets, you can forward to the internet.
Check the firewall log, if you see any 443 or 80 packets. If not, its not the firewall, instead the doorbell is wrongly configured.