i have a problem on a customers site.
The customer switched from Sophos UTM to XG firewall.
In the past the customer ran into the problem that his network got to small. Because of ease they just add 2 additinal adresses on the LAN interface with a /24 netmask.
Now after the switch to XG firewall this construction don't work really good, because some connections are marked with "Invalid TCP state"
The main address/network ist 192.168.40.0 the Sophos has the 192.168.40.252. The other networks/aliases on the interface are 192.168.41.0 and 192.168.42.0.
Ich for example a client from 192.168.42.0 network tries to access a printer in 192.168.40.0 network it dont work because ogf invalid tcp state. Smartphone access to Exchange in the 192.168.40.0 network also don't work.
It would be very difficult for the customer to change the hole network to another netmask. So i searched for a solution.
I found this:
set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.42.0 source_netmask 255.255.255.0 dest_network 192.168.40.0 dest_netmask 255.255.255.0
Does anyone know, if this would solve the problem i have?
Thanks everybody for your help
Hello Technik Technik1 ,
The command "advanced-firewall bypass-stateful-firewall-config" will skip stateful inspection for traffic coming from 192.168.42.0 and going to 192.168.40.0 which will solve your problem if there is any assymmetric routing between these 2 subnets.
What is the gateway for both(or all 3) subnets ? Is it the IP address configured on XG interface(or alias), if so then all traffic would get routed through XG firewall via LAN - LAN firewall rule however if any of the network has different gateway apart from XG interface then there are chances of assymmetric routing in which request & reply packet does not follow the same path.
For such traffic you would see them being dropped under rule ID 0.
Hardik R If a post solves your question use the 'Verify Answer' link.
Hello Hardik R
the Sophos has the following addresses on the interface:
The clients have the corresponding address as gateway, client from 192.168.42.0 has the 192.168.42.252 as gateway. I have already created a rule with LAN-LAN.
the message in the log is always invalid tcp state
I have talked to an technican from sophos which means that aliases in different networks than the main address are not supported
Hello Technik Technik1 Thank you for the update, can you please message me the support ticket through which you discussed with Support engineer.As per the KBA, same physical interface does support different subnets.docs.sophos.com/.../index.html
sorry i just talked on the phone. The ticket was related to another problem an i just asked him by the side about this. I said the customer that the best is to change the network, but as i said it is a little bit difficult. I will test it with the state-full firewall solution an will report again.
so we could test it at the customer site. So the problem has gone with traffic to printers for example. But now a new problem occured.
Before the change a Client from 192.168.42.x could access Sophos Management Services like User Portal, WebAdmin and Captive Portal on 192.168.40.252. Now the Clients can only Access these services with the corresponding Gateway Adress of their network.
Its not so great issue, but the problem is that i only can set one IP/Hostname for the Captive Portal