Discord Firewall Exception(Sophos XG)

Use web proxy instead of DPI engine is turned off. So I am using DPI engine. 

Hi,

do you have any boxes ticked in the web section, if so that will enable the web proxy.

Ian

Adding discord.com gives me the same output unfortunately

What does the ssl/tls log show? When you had the generic rule, what were the urls that were passed, sounds like there might be others than those you have added exceptions for?

ian

Action with every URL is: Do not decrypt. So wouldnt be an issue?

Hi,

some sites do not like ssl/tls regardless of the settings that is why occasionally it is best to use the web proxy with exceptions. Also ssl/tls does not handle UDP so you need to allow for that. The web proxy will allow for it without scanning.

ian

Ok, but which exception do i need to define in the FW rules? I can't find a list of ip addresses or anything like that?

There is a SSL/TLS exception list, though I think your existing exception list covers most items. I would setup your generic rule again and use one PC as the source to see what sites and ports are used because you might find that there are special ports involved though I searched through the discord web site and did not find any useful information.

Ian

I already did that. I will show you.
Test client is specified, ACL rule is being hit in logs.

IIn this example, i have extracted the IP addresses from Discord from the logs. However, yesterday I had 3 other IP addresses, they keep changing. I noticed when I test with multiple clients, they all get different Discord server IP Addresses
I can't seem to find a complete Discord server list. If I know which IP addresses to allow the voice traffic to, i can easily make an exception.

Hi,

I am a little confused by your use of ACL, please explain. I could not read your firewall rule, but I suspect you need to change the destination to wan zone.

ian

Destination Zone is WAN indeed, sorry, blurred too much. However, if I rejoin the Discord voice channel, Discord server IP keeps changing

Only thing i did, i rejoined the Discord voice channel. Different IP. If I would have a group of Discord IP's, i could make an exception, however, the Discord server IP keeps changing.

Interesting, I had nothing to setup to use Discord, worked right off the bat.  You must be blocking something that I'm not.  I don't have any outbound rules setup, I left those alone with the exception of cutting off a couple of ports for my cameras and some Country Blocking.  

Interesting, I had nothing to setup to use Discord, worked right off the bat.  You must be blocking something that I'm not.  I don't have any outbound rules setup, I left those alone with the exception of cutting off a couple of ports for my cameras and some Country Blocking.