Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

First time user looking to switch from another product due to it being sold and stripped

Sophos Firewall is NOT very intuitive so far. Nothing inbound works...but the default rules to let everything outbound does. So figured id ask the community.

I've reverted to the simplest test I can think of....Port forward ICMP from WAN to a LAN workstation..

First turned on ICMP on the WAN adapter to make sure it was listening from outside. It was so I turned ICMP off.

Second made sure the Firewall can reach the workstation using its LAN connection, it can 

Created the Rule,

WAN, Any,  to  LAN, workstation 172.16.16.17  with the predefined PING

.Nothing. System isn't logging it. Just nothing. Cant forward anything.

At this point I cant test the system because it doesn't even port forward. Lots of time wasted trying to figure out why this easy test is so hard.   Thanks  



This thread was automatically locked due to age.
Parents
  • 2nd issue.  My internal server logs show the firewalls address instead of the connecting clients address. Can I fix this?  Plenty of other firewalls use iptables but don't seem to have this issue. What am I missing?  

    Being this is a WAN alias address i've created these two rules for in and out over WAN 49.

    Firewall rule

    #1 Inbound W49
    WAN, Any host
    LAN, WAN 49
    PING, Dest TCP 11799
    #1 G33 < W49
    LAN, Green 192.168.2.33
    WAN, Any host
    Any service

    NAT Rules

    #1 W49 < G33
    Source: Any host
    Service: PING, Dest TCP 11799
    Destination: WAN 49
    Source: MASQ
    Service: Original
    Destination: Green 192.168.2.33
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:07
    #1 G33 < W49
    Source: Green 192.168.2..33
    Service: Any service
    Destination: Any host
    Source: WAN 49
    Service: Original
    Destination: Original
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:14
    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • You have MASQ for the DNAT Rule. So the appliance will MASQ the DNAT Traffic. 

    #1 W49 < G33
    Source: Any host
    Service: PING, Dest TCP 11799
    Destination: WAN 49
    Source: MASQ
    Service: Original
    Destination: Green 192.168.2.33
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:07

    __________________________________________________________________________________________________________________

  • Logs show the firewall receives them on the return trip but does nothing with them when set to "original" 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Firewall Logs only show the initial packet. Check the packet capture for the traffic flow. 

    Link us a screenshot of the packet capture. 

    __________________________________________________________________________________________________________________

  • The traffic flow is a bit hard to track. The connection IDs stop at the firewall. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • The traffic flow is a bit hard to track. The connection IDs stop at the firewall. 

    I see no return to the Sender anywhere when Original is selected. I also don't see ICMP being returned from 192.168.2.33 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Likely because your server (192.168.2.33) answers to someone else. 
    What you see here is the actual packet capture on the interface (tcpdump). 

    If you say: MASQ works but original does not - This is 99% routing problem on the client. 

    The client receives your packet like you see here with the WAN IP and sends the reply to another destination (not firewall). If you do MASQ on the firewall, the client will answer the firewall directly. 

    You could do a wireshark dump on the client to check it. 

    I can guarantee you this is not a SFOS problem, instead a general network / routing problem within your network. 

    __________________________________________________________________________________________________________________

  • Only a non managed switch is between SFOS and workstation. The Gateway shown on the machine is the firewall. Simple network. That's why I'm perplexed on why the SFOS is giving me so much trouble with these simple tests. If the routing is incorrect its the SFOS,

    Any suggestions on what to possibly check? Seems like a lot of work for what other systems would consider a simple port forward. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • I should add that i like most of the other features SFOS offers and have been working well and as expected. My current firewall sold out and is getting rid of alot of stuff that makes it what it is. Soooo if I can just figure out this strange issue to aliases and port forwards I might move forward.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Do you have a firewall rule on the server to permit pings from outside? What product do you use on the server? Windows for example can deny pings from the outside. 

    __________________________________________________________________________________________________________________

  • Server can't by default allow pings. 

    The test machines firewall is off and accepting ICMP from all networks. Nothing else is running that would intercept packets. Its straight Firewall to test machine and Test machine to Firewall. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Can you run a tcpdump on the product behind your firewall? I am still sure, it is a problem in your network and not the firewall. 

    What OS do you run there? does it allow tcpdump or wireshark? 

    __________________________________________________________________________________________________________________

Reply
  • Can you run a tcpdump on the product behind your firewall? I am still sure, it is a problem in your network and not the firewall. 

    What OS do you run there? does it allow tcpdump or wireshark? 

    __________________________________________________________________________________________________________________

Children
  • You keep saying its not SFOS but if I change the NAT rules to use the standard #Port2 the ICMP packets get delivered as expected. 

    The issue is sending to the Alias #Port2:0. That's 100% SFOS. I must have something missing when creating the alias or SFOS isn't as you said routing alias traffic properly with out MASQ 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • It seems the issue is my using IP address or group names instead of #Port2:0 in the rules. Lesson learned. Thanks for your help. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Any way to speed up the log viewer? Its annoying having to wait and the times are wrong at that point. Do most just use the PCAP viewer?  If so on a system that has LOTS of traffic it fills way fast....What's the best way to view realtime logs on this system with the ability to pause? 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • You can use filters (BPF Filters) to check only the traffic, you want to see. 

    But i am still not sure, what your problem was. 

    Because your traffic caption clearly states SFOS did its job - traffic forwarded to the destination server and no reply. If you have no reply, it is likely that your server behind SFOS is not replying or sending the reply to a wrong destination. 

    So even if you alias (in dnat) is not correct, this would not generate a working setup in terms of MASQ. 

    Many questions remain open here. Also your post about "mistakes" are quite confusing. #Portx.0-10 are the alias interfaces, generated by the system. They are for the destination nat. But again, that is not in relationship to your problem at all. 

    The docs for DNAT are actually quite straight forward: https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html as linked here as well. 

    __________________________________________________________________________________________________________________

  • The issue was with SFOS. The Wizard allowed me to create IP addresses for the alias #Port2:0.  The NAT rules don't like these and caused the issue. Using #Port2:0 wherever the GUI allowed it fixed the issue. I nolonger need to use MASQ.   The Docs DONT state this and the examples show IPs can be used. They cant. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • This works

    Firewall

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • But you said: It worked with MASQ instead of SNAT Original? 
    Now you are changing the DNATs. 
    Because still - It will work with own generated objects, the #Port Objects are helper for easy configuration - But a object based on IPs will work the same way. 
    Can you show the object, you used instead of #port2:0? 
    (And still, based on your screenshot above, it does not make sense, as SFOS did forward the traffic as expected).

    This is a perfectly normal forward traffic. 

    __________________________________________________________________________________________________________________

  • using anything but #Port2:0 fails and requires MASQ.in SFOS 20.0.0 GA-Build222 

    The docs show IPs are allowed, Host Group names also don't seem to work.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • I don't know what to tell ya. Now you're feeling the same as me. I spent alot more time than I wanted to on this. It must be a bug if your telling me it should have worked.. The logs showed it should have been working but it didn't.    The only difference was changing the Dest to the direct interface #port2:0 .  If Destination Networks or Original destination contain IP Hosts or Groups of the #Port2:0 SNAT Original doesn't work.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • I just forced the firewall to restart and changed the #Port2:0 to a IP name and a another to a host group name and it works as you suggest. Only thing I can think of is SFOS was holding on to something and was flushed. I should have restarted it a day ago. What an f*ken headache. I 100% swear nothing has changed on the LAN side.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~