This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Home edition and Battle.net

Moved to Sophos XG from a Fortigate, all seems to work OK but the battle.net client. It won't connect. Disbaled SSL inspection, no change. Created a new rule for the PC, disabled all inspection, IPS and the like and put rule at top, issue still remains.

I see in the logs it hitting the rule, so it's using it.

Change my gateway to old Fortigate IP and battle.net client connects.

It's something on Sophos, but logs look OK, and allow all traffic.....any thoughts?



This thread was automatically locked due to age.
  • Hi,

    please post a copy of your rule. Sound like you have an SSL decrypt and scan which the software does not like.

    You can create an exception for the battle.net site.

    Ian

    XGS118 - v21.0.1 MR1

    XG115 converted to software licence v21.0.1 MR-1

    If a post solves your question please use the 'Verify Answer' button.

    • the neverending story with sophos generally.

      horror with microsoft exceptions, also many other programms.

      for blizzard / battlenet I have the following urls in exceptions configured:

      ^([a-zA-Z0-9.-]*\.)?origin-[A-Za-z]\.akamaihd\.net/

      ^([a-zA-Z0-9.-]*\.)?eaassets([0-9])*-[A-Za-z]\.akamaihd\.net/

      ^([a-zA-Z0-9.-]*\.)?akamaihd\.net/

      ^([a-zA-Z0-9.-]*\.)?blizzard\.com/

      ^([a-zA-Z0-9.-]*\.)?blzddist1-a.akamaihd\.net/

      ^([a-zA-Z0-9.-]*\.)?battle\.net/

      • Hi,

        what exceptions did you apply? Are you using the Web proxy?

        Please post a copy of your rule.

        When reviewing logviewer did you see all of the exceptions listed? What ports have you listed?

        Ian

        XGS118 - v21.0.1 MR1

        XG115 converted to software licence v21.0.1 MR-1

        If a post solves your question please use the 'Verify Answer' button.

        •  A list of ports you need in your rule also battle.net will not work with SSL/TLS even with exception.

          Blizzard Battle.net Ports Needed to Run
          TCP Port: 80, 443, 1119, 1120, 3074, 3724, 4000, 6112-6120, 27014-27050
          UDP Port: 80, 443, 1119, 1120, 3478-3479, 3724, 4000, 4379-4380, 5060, 5062, 6112-6119, 6250, 27000-27031, 27036, 12000-64000

          Ian

          XGS118 - v21.0.1 MR1

          XG115 converted to software licence v21.0.1 MR-1

          If a post solves your question please use the 'Verify Answer' button.

          • i am switching at the moment from utm to xg. actually i perepare and configure the new xg appliance, the utm still runs.

            in utm it was sufficient to configure the exceptions under web filter.

            does this apply to xg?

          • That was the fix. Thanks man. Do you run Sophos at home?

            • sorry, am i stupid?

              Which exactelly was the solution?

              Web protection exceptions, firewall policies or a combination of both?

              • web exception:

                • ah yes, so the list from me worked? if so it would be nice to mark that also as solution... ;) for several games and clients there are different exceptions.

                  the mentioned ports from rfcat did they got any relevance in any policy?

                  • SSL/TLS exceptions (Web -> URL Groups) should be good enough and you don't need that Reg-Ex stuff, just add the domains:



                    • ...and yes...running sophos at home.

                      • This. Shouldn't be using the old-school web proxy, but rather the new DPI inspection, and when you use that this URL group is sufficient. No need for crazy regex's.

                        • Hi,

                          rather than using the SSL/TLS exclusion list which is updated and overwritten with each firmware release, create an FQDN group for the battle.net URLs and create a firewall rule at the top of your list similar to this

                          Source LAN, network PC LAN, destination WAN, network FQDN group, allow all services, log and enable IPS LAN to WAN.

                          I suspect some battle.net sites don't use URLs but IP addressing, so you can create a Battle IP address group and add that to your firewall rule.

                          Ian

                          XGS118 - v21.0.1 MR1

                          XG115 converted to software licence v21.0.1 MR-1

                          If a post solves your question please use the 'Verify Answer' button.