Moved to Sophos XG from a Fortigate, all seems to work OK but the battle.net client. It won't connect. Disbaled SSL inspection, no change. Created a new rule for the PC, disabled all inspection, IPS and the like and put rule at top, issue still remains.
I see in the logs it hitting the rule, so it's using it.
Change my gateway to old Fortigate IP and battle.net client connects.
It's something on Sophos, but logs look OK, and allow all traffic.....any thoughts?
Hi,
please post a copy of your rule. Sound like you have an SSL decrypt and scan which the software does not like.
You can create an exception for the battle.net site.
Ian
XGS118 - v21.0.1 MR1
XG115 converted to software licence v21.0.1 MR-1
If a post solves your question please use the 'Verify Answer' button.
the neverending story with sophos generally.
horror with microsoft exceptions, also many other programms.
for blizzard / battlenet I have the following urls in exceptions configured:
^([a-zA-Z0-9.-]*\.)?origin-[A-Za-z]\.akamaihd\.net/
^([a-zA-Z0-9.-]*\.)?eaassets([0-9])*-[A-Za-z]\.akamaihd\.net/
^([a-zA-Z0-9.-]*\.)?akamaihd\.net/
^([a-zA-Z0-9.-]*\.)?blizzard\.com/
^([a-zA-Z0-9.-]*\.)?blzddist1-a.akamaihd\.net/
^([a-zA-Z0-9.-]*\.)?battle\.net/
Hi,
what exceptions did you apply? Are you using the Web proxy?
Please post a copy of your rule.
When reviewing logviewer did you see all of the exceptions listed? What ports have you listed?
Ian
XGS118 - v21.0.1 MR1
XG115 converted to software licence v21.0.1 MR-1
If a post solves your question please use the 'Verify Answer' button.
A list of ports you need in your rule also battle.net will not work with SSL/TLS even with exception.
TCP Port: | 80, 443, 1119, 1120, 3074, 3724, 4000, 6112-6120, 27014-27050 |
---|---|
UDP Port: | 80, 443, 1119, 1120, 3478-3479, 3724, 4000, 4379-4380, 5060, 5062, 6112-6119, 6250, 27000-27031, 27036, 12000-64000 |
Ian
XGS118 - v21.0.1 MR1
XG115 converted to software licence v21.0.1 MR-1
If a post solves your question please use the 'Verify Answer' button.
sorry, am i stupid?
Which exactelly was the solution?
Web protection exceptions, firewall policies or a combination of both?
ah yes, so the list from me worked? if so it would be nice to mark that also as solution... ;) for several games and clients there are different exceptions.
the mentioned ports from rfcat did they got any relevance in any policy?
SSL/TLS exceptions (Web -> URL Groups) should be good enough and you don't need that Reg-Ex stuff, just add the domains:
This. Shouldn't be using the old-school web proxy, but rather the new DPI inspection, and when you use that this URL group is sufficient. No need for crazy regex's.
Hi,
rather than using the SSL/TLS exclusion list which is updated and overwritten with each firmware release, create an FQDN group for the battle.net URLs and create a firewall rule at the top of your list similar to this
Source LAN, network PC LAN, destination WAN, network FQDN group, allow all services, log and enable IPS LAN to WAN.
I suspect some battle.net sites don't use URLs but IP addressing, so you can create a Battle IP address group and add that to your firewall rule.
Ian
XGS118 - v21.0.1 MR1
XG115 converted to software licence v21.0.1 MR-1
If a post solves your question please use the 'Verify Answer' button.