Discord Firewall Exception(Sophos XG)

Use web proxy instead of DPI engine is turned off. So I am using DPI engine. 

Hi,

do you have any boxes ticked in the web section, if so that will enable the web proxy.

Ian

What does the ssl/tls log show? When you had the generic rule, what were the urls that were passed, sounds like there might be others than those you have added exceptions for?

ian

Action with every URL is: Do not decrypt. So wouldnt be an issue?

Hi,

some sites do not like ssl/tls regardless of the settings that is why occasionally it is best to use the web proxy with exceptions. Also ssl/tls does not handle UDP so you need to allow for that. The web proxy will allow for it without scanning.

ian

Ok, but which exception do i need to define in the FW rules? I can't find a list of ip addresses or anything like that?

There is a SSL/TLS exception list, though I think your existing exception list covers most items. I would setup your generic rule again and use one PC as the source to see what sites and ports are used because you might find that there are special ports involved though I searched through the discord web site and did not find any useful information.

Ian

I already did that. I will show you.
Test client is specified, ACL rule is being hit in logs.

IIn this example, i have extracted the IP addresses from Discord from the logs. However, yesterday I had 3 other IP addresses, they keep changing. I noticed when I test with multiple clients, they all get different Discord server IP Addresses
I can't seem to find a complete Discord server list. If I know which IP addresses to allow the voice traffic to, i can easily make an exception.

Hi,

I am a little confused by your use of ACL, please explain. I could not read your firewall rule, but I suspect you need to change the destination to wan zone.

ian

Destination Zone is WAN indeed, sorry, blurred too much. However, if I rejoin the Discord voice channel, Discord server IP keeps changing

Only thing i did, i rejoined the Discord voice channel. Different IP. If I would have a group of Discord IP's, i could make an exception, however, the Discord server IP keeps changing.

Interesting, I had nothing to setup to use Discord, worked right off the bat.  You must be blocking something that I'm not.  I don't have any outbound rules setup, I left those alone with the exception of cutting off a couple of ports for my cameras and some Country Blocking.  

I do not think you are hitting TLS problems with DPI mode. Most voice traffic is not over TLS.

Now that you have found firewall blocks that proves it is not DPI. You can hover over the first column to get the full log (or switch to detailed view). Find the firewall rule that it is hitting. Find the port it is using.
Create a new firewall rule above the one it is hitting, just for that port. If you want to you can use FQDN hosts as a destination network.

A simple googling of discord firewall voice port finds sites like this:
streamersplaybook.com/.../
That says discord uses a random UDP port between 50,000 and 65,535. You may need to create a Service that matches that, then a firewall rule to allow that.

I do not think you are hitting TLS problems with DPI mode. Most voice traffic is not over TLS.

Now that you have found firewall blocks that proves it is not DPI. You can hover over the first column to get the full log (or switch to detailed view). Find the firewall rule that it is hitting. Find the port it is using.
Create a new firewall rule above the one it is hitting, just for that port. If you want to you can use FQDN hosts as a destination network.

A simple googling of discord firewall voice port finds sites like this:
streamersplaybook.com/.../
That says discord uses a random UDP port between 50,000 and 65,535. You may need to create a Service that matches that, then a firewall rule to allow that.

Thanks! Once I added a Discord Service group with all the UDP Ports, without a specific IP destination(so just: ANY), it started to work. The thing that mislead me was the IP blocking, which occurred before UDP Block. 

In your URL i noticed, we just cant specify a specific Discord IP server, so it clarifies a lot. 
Thanks all for helping me out!