Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 33 replies
  • Answers 6 answers
  • Subscribers 40 subscribers
  • Views 5086 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

First time user looking to switch from another product due to it being sold and stripped

midnightSun

Sophos Firewall is NOT very intuitive so far. Nothing inbound works...but the default rules to let everything outbound does. So figured id ask the community.

I've reverted to the simplest test I can think of....Port forward ICMP from WAN to a LAN workstation..

First turned on ICMP on the WAN adapter to make sure it was listening from outside. It was so I turned ICMP off.

Second made sure the Firewall can reach the workstation using its LAN connection, it can 

Created the Rule,

WAN, Any,  to  LAN, workstation 172.16.16.17  with the predefined PING

.Nothing. System isn't logging it. Just nothing. Cant forward anything.

At this point I cant test the system because it doesn't even port forward. Lots of time wasted trying to figure out why this easy test is so hard.   Thanks  



This thread was automatically locked due to age.
  • 0

    The Firewall Rule needs to be: WAN ANY - LAN + WAN IP + Ping 

    Use the NAT Assistance to do a DNAT. 
    You find the Guide in the online help: https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html

    __________________________________________________________________________________________________________________

  • 0

    I'm guessing its happing right on install. The installer sucks. First thing that should happen after the console login is you should get to define the adapters as its a new install. On firewalls I mark the outside of the cards with abbreviated MAC addresses so I know what connection is plugged into what. They don't even show the MAC. The console Network Config / Interface config is now only showing Port1, Port2 . This older test system has an intel card with DUAL RJ45 Port2 Port3  plus the built in card Port1. So of course now that i'm 80 miles away using my KVM to reset to factory defaults the SFOS is using the wrong ports and only shows Port1 and Port2. Nothing is plugged into Port1. Gurrrr   I'm sure many of you use this system with great success but my initial reactions aren't positive.

     

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to midnightSun

    You can move to the advanced Shell (Option 5 + Option 3) and then use the linux to check whatever you need. Like use ifconfig Port1   to find the MAC Address. 

    Keep in Mind: SFOS behave the same if virtually or physically installed. So the installer for hardware as well as software is the same. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for the reply. You wrote = "WAN ANY  - LAN + WAN IP + Ping" 

    The test was to send Ping to 1 specific workstation.. In what you wrote where is the Workstation?   The GUi writes it WAN ANY - LAN Workstation +Ping.    . 

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to LuCar Toni

    Good to know. I also found show network macaddr port# .

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to midnightSun

    You find more information about NAT also here: https://techvids.sophos.com/watch/qQzynSUroGrH9KzEGSnkPA  


    __________________________________________________________________________________________________________________

  • 0

    2nd issue.  My internal server logs show the firewalls address instead of the connecting clients address. Can I fix this?  Plenty of other firewalls use iptables but don't seem to have this issue. What am I missing?  

    Being this is a WAN alias address i've created these two rules for in and out over WAN 49.

    Firewall rule

    #1 Inbound W49
    WAN, Any host
    LAN, WAN 49
    PING, Dest TCP 11799
    #1 G33 < W49
    LAN, Green 192.168.2.33
    WAN, Any host
    Any service

    NAT Rules

    #1 W49 < G33
    Source: Any host
    Service: PING, Dest TCP 11799
    Destination: WAN 49
    Source: MASQ
    Service: Original
    Destination: Green 192.168.2.33
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:07
    #1 G33 < W49
    Source: Green 192.168.2..33
    Service: Any service
    Destination: Any host
    Source: WAN 49
    Service: Original
    Destination: Original
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:14
    		 
    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to midnightSun

    You have MASQ for the DNAT Rule. So the appliance will MASQ the DNAT Traffic. 

    #1 W49 < G33
    Source: Any host
    Service: PING, Dest TCP 11799
    Destination: WAN 49
    Source: MASQ
    Service: Original
    Destination: Green 192.168.2.33
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:07

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Without MASQ, & setting to original, the system wont allow replies from the LAN target 192.168.2.33. 

    What do you recommend? 

    Without MASQ a simple incoming ping gets lost on the reply.

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to midnightSun

    seems to be a routing issue of the device. 
    So to speak: if you leave it original, the server does not send the replies to SFOS. 

    Check the packet capture of the firewall and see, if you see replies by the server. 

    __________________________________________________________________________________________________________________

Unfiltered HTML