Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

First time user looking to switch from another product due to it being sold and stripped

Sophos Firewall is NOT very intuitive so far. Nothing inbound works...but the default rules to let everything outbound does. So figured id ask the community.

I've reverted to the simplest test I can think of....Port forward ICMP from WAN to a LAN workstation..

First turned on ICMP on the WAN adapter to make sure it was listening from outside. It was so I turned ICMP off.

Second made sure the Firewall can reach the workstation using its LAN connection, it can 

Created the Rule,

WAN, Any,  to  LAN, workstation 172.16.16.17  with the predefined PING

.Nothing. System isn't logging it. Just nothing. Cant forward anything.

At this point I cant test the system because it doesn't even port forward. Lots of time wasted trying to figure out why this easy test is so hard.   Thanks  



This thread was automatically locked due to age.
Parents
  • 2nd issue.  My internal server logs show the firewalls address instead of the connecting clients address. Can I fix this?  Plenty of other firewalls use iptables but don't seem to have this issue. What am I missing?  

    Being this is a WAN alias address i've created these two rules for in and out over WAN 49.

    Firewall rule

    #1 Inbound W49
    WAN, Any host
    LAN, WAN 49
    PING, Dest TCP 11799
    #1 G33 < W49
    LAN, Green 192.168.2.33
    WAN, Any host
    Any service

    NAT Rules

    #1 W49 < G33
    Source: Any host
    Service: PING, Dest TCP 11799
    Destination: WAN 49
    Source: MASQ
    Service: Original
    Destination: Green 192.168.2.33
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:07
    #1 G33 < W49
    Source: Green 192.168.2..33
    Service: Any service
    Destination: Any host
    Source: WAN 49
    Service: Original
    Destination: Original
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:14
    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • You have MASQ for the DNAT Rule. So the appliance will MASQ the DNAT Traffic. 

    #1 W49 < G33
    Source: Any host
    Service: PING, Dest TCP 11799
    Destination: WAN 49
    Source: MASQ
    Service: Original
    Destination: Green 192.168.2.33
    Inbound: Any interface
    Outbound: Any interface
    Last used: 2023-12-13 19:33:07

    __________________________________________________________________________________________________________________

  • You keep saying its not SFOS but if I change the NAT rules to use the standard #Port2 the ICMP packets get delivered as expected. 

    The issue is sending to the Alias #Port2:0. That's 100% SFOS. I must have something missing when creating the alias or SFOS isn't as you said routing alias traffic properly with out MASQ 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • It seems the issue is my using IP address or group names instead of #Port2:0 in the rules. Lesson learned. Thanks for your help. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • Any way to speed up the log viewer? Its annoying having to wait and the times are wrong at that point. Do most just use the PCAP viewer?  If so on a system that has LOTS of traffic it fills way fast....What's the best way to view realtime logs on this system with the ability to pause? 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • You can use filters (BPF Filters) to check only the traffic, you want to see. 

    But i am still not sure, what your problem was. 

    Because your traffic caption clearly states SFOS did its job - traffic forwarded to the destination server and no reply. If you have no reply, it is likely that your server behind SFOS is not replying or sending the reply to a wrong destination. 

    So even if you alias (in dnat) is not correct, this would not generate a working setup in terms of MASQ. 

    Many questions remain open here. Also your post about "mistakes" are quite confusing. #Portx.0-10 are the alias interfaces, generated by the system. They are for the destination nat. But again, that is not in relationship to your problem at all. 

    The docs for DNAT are actually quite straight forward: https://doc.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/NATRules/RulesPoliciesCreateDNATAndFirewallRulesForInternalServers/index.html as linked here as well. 

    __________________________________________________________________________________________________________________

  • The issue was with SFOS. The Wizard allowed me to create IP addresses for the alias #Port2:0.  The NAT rules don't like these and caused the issue. Using #Port2:0 wherever the GUI allowed it fixed the issue. I nolonger need to use MASQ.   The Docs DONT state this and the examples show IPs can be used. They cant. 

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • This works

    Firewall

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • But you said: It worked with MASQ instead of SNAT Original? 
    Now you are changing the DNATs. 
    Because still - It will work with own generated objects, the #Port Objects are helper for easy configuration - But a object based on IPs will work the same way. 
    Can you show the object, you used instead of #port2:0? 
    (And still, based on your screenshot above, it does not make sense, as SFOS did forward the traffic as expected).

    This is a perfectly normal forward traffic. 

    __________________________________________________________________________________________________________________

  • using anything but #Port2:0 fails and requires MASQ.in SFOS 20.0.0 GA-Build222 

    The docs show IPs are allowed, Host Group names also don't seem to work.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • I don't know what to tell ya. Now you're feeling the same as me. I spent alot more time than I wanted to on this. It must be a bug if your telling me it should have worked.. The logs showed it should have been working but it didn't.    The only difference was changing the Dest to the direct interface #port2:0 .  If Destination Networks or Original destination contain IP Hosts or Groups of the #Port2:0 SNAT Original doesn't work.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • I just forced the firewall to restart and changed the #Port2:0 to a IP name and a another to a host group name and it works as you suggest. Only thing I can think of is SFOS was holding on to something and was flushed. I should have restarted it a day ago. What an f*ken headache. I 100% swear nothing has changed on the LAN side.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

Reply
  • I just forced the firewall to restart and changed the #Port2:0 to a IP name and a another to a host group name and it works as you suggest. Only thing I can think of is SFOS was holding on to something and was flushed. I should have restarted it a day ago. What an f*ken headache. I 100% swear nothing has changed on the LAN side.

    echo "           __     __         __         __     __    _______               ";
    echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
    echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
    echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
    echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

Children
No Data