Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v19.5 MR2: Feedback and experiences

Release Post:   Sophos Firewall OS v19.5 MR2 is Now Available  

The old V19.5 MR1 Post: Sophos Firewall: v19.5 MR1: Feedback and experiences 

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 



This thread was automatically locked due to age.
Parents
  • We have an interesting problem after updating to MR2 (from 19.5-MR1). We have a web server that is made available via a DNAT rule in the DMZ. From the WAN this is not a problem, this works.

    Since the update, we have some networks on the LAN that can no longer access the web server. Other networks from the LAN have no problem with this.

    With a tcpdump I have seen that requests from the LAN without NAT go directly over the WAN interface to the Internet:

    XGS5500_CI02_SFOS 19.5.2 MR-2-Build624 HA-Primary# tcpdump -i Port2 host 10.0.2.200
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on Port2, link-type EN10MB (Ethernet), capture size 262144 bytes
    18:34:46.269798 Port2, OUT: IP 10.0.2.200.50011 > 10.0.5.80.https: Flags [SEW], seq 454467722, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    18:34:46.519736 Port2, OUT: IP 10.0.2.200.50012 > 10.0.5.80.https: Flags [SEW], seq 3042186263, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

    10.0.2.200 is the Client in LAN, 10.0.5.80 is the private IP of Web-Server in DMZ, Port2 is the WAN-Port

    I have tried with different source IPs (in my NAT rule) to access the web server from the LAN. Whenever the DNAT rule takes effect, the traffic goes to the WAN without NAT instead of the DMZ. 

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • We have an interesting problem after updating to MR2 (from 19.5-MR1). We have a web server that is made available via a DNAT rule in the DMZ. From the WAN this is not a problem, this works.

    Since the update, we have some networks on the LAN that can no longer access the web server. Other networks from the LAN have no problem with this.

    With a tcpdump I have seen that requests from the LAN without NAT go directly over the WAN interface to the Internet:

    XGS5500_CI02_SFOS 19.5.2 MR-2-Build624 HA-Primary# tcpdump -i Port2 host 10.0.2.200
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on Port2, link-type EN10MB (Ethernet), capture size 262144 bytes
    18:34:46.269798 Port2, OUT: IP 10.0.2.200.50011 > 10.0.5.80.https: Flags [SEW], seq 454467722, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    18:34:46.519736 Port2, OUT: IP 10.0.2.200.50012 > 10.0.5.80.https: Flags [SEW], seq 3042186263, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

    10.0.2.200 is the Client in LAN, 10.0.5.80 is the private IP of Web-Server in DMZ, Port2 is the WAN-Port

    I have tried with different source IPs (in my NAT rule) to access the web server from the LAN. Whenever the DNAT rule takes effect, the traffic goes to the WAN without NAT instead of the DMZ. 

    If a post solves your question please use the 'Verify Answer' button.

Children