Veeam B&R 12 issue

is that a copy job to a cloud archive? I'd say you don't need to ac_atp exception.
can you post the webfiltering and IPS settings of your fw rule and also the logs showing the packets in logviewer in detailled view.

I suspect there is something still blocked by IPS or scanned by TLS/DPI inspection you need to add the destination Domain to local TLS exclusion group.

Did you follow that guides and build FW rules for all of that targets and ports with fw rules that allow the traffic without TLS inspection?

https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120#wan-accelerator

There are no alerts - it's been wotking always.

I have already SSL exclusions in place, and also made a IP Exception for ALL functions for the source IP.

All that fixed was disable SSL/DPI completely , which is not a fix. Then I ran the command above and it worked. Think there is something with Veeam 12 and the new traffic. Got another Sophos customer upgraded to Veeam 12 today, the same issue occured.

it's probably not blocked you don't need to search for blocks. Traffic is most likely just beeing scanned and decrypted by TLS DPI engine and the program does not trust your firewall decrypting CA.

https://www.veeam.com/kb4328

Yes i am well aware of that, as it did work fine before Veeam 12 Upgrade, as stated earlier.

I have excepted the backup server IP completely from scans and added the destination domain to the Local TLS Exclusion list, it did not help, so I think there is a bug like here:

(1) SSL/TLS Inspection is blocking Veeam Backup Agent - Discussions - Sophos Firewall - Sophos Community

Hi,

please review your ATP setting.

Ian

Hi,

I was suggesting you might turn it off.

ian

Understood :-)

It works - but not a solution :-)

Understood :-)

It works - but not a solution :-)

Hi,

please add an exception to the ATP.

Ian

Hi,

It is not possible, as no ATP alert is being generated nor triggered.

How would you suggest to fix that?

Most likely opening a support case is the only way you can do if you don't want to exclude the rule from ATP/IPS. capture the traffic with tcpdump on the FW and send the dump with the case.

I'm pretty sure, in the end you'll not want backup traffic being inspected by these engines as it only consumes ressources on the firewall and slows down the backup a bit. If you push encrypted backup copies over the line, there is nothing for the firewall to scan anyway.

I understand the need for a support ticket - just started my questioning here :-)

As I cannot make an exception i ATP, because there is nothing to except, it just got fixed with the new FW rule, and then excepting that rule from ATP, as stated in the initial post, worked.

My only question was, if others with Veeam v12 had this issues, as with version 11 there was nothing wrong. Yes I know that they have changed something in the protocol.

But I created an exception entirely for the backup server, and that did not do it, only the atp exception in the CLI fixed it.

I'd expected the job to be done by what you already have. As we know now, ATP is still catching something in that traffic that hopefully Sophos Support can filter out in ATP filter updates or new firmware.