hen the VPN is connected with firewall just the local application/network should be accessible.

Question

SSL VPN is used as full tunnel and the requirement is when the VPN is connected with firewall just the local application/network should be accessible. 
 
 Checked the configuration and it was proper 
 NO VPN to WAN rule was present hence the WAN traffic was being dropped as expected. 
 All websites and pings were dropping on the firewall as expected. 
 The issue we are facing is that on telegram application we are still able to send and receive messages. 
 Any download or upload is not working, just messages are working.

Telegram itself is not pinging or telnetting. 
 Nslookup also not working. 
 Checked routes on the machine itself. 
 Tracert also ended on the VPN interface itself. 
 Created a VPN to ANY drop rule on the firewall and chedked again. 
 Still we were able to send and receive messages.

Found an IP-address (149.154.167.197) which is used for telegram messenger and I was able to telnet it. 
 The same IP is not pingable. 
 Took capture while pinging the IP and it was dropping as expected. 
 While telnetting it was taking the same rule but it was showing that the tun7 itself was replying. 
 In TCPdump also observed the same. 
 Took Conntrack entries and there was no out interface and rule also it was taking proper. 
 Took capture on port 443 itself to see if the packets were being NATted anywhere and there too in capture it was showing directly tun7 replying. 
 Checked routes on the firewall itself. 
 From firewall itself the IP was showing route behind WAN.

Vishal_R · Answer

Hi naveen User Currently it is expected working behavior where SSL VPN will not tear down the existing session in the end machine. 
 This would be a Feature Request; I'd recommend you reach out to your Channel Account Manager, Sales Engineer, or Sales Representative so that they can enter this request into our system. 
 Additionally , you can use the in-product feedback in the Sophos Firewall located in the Top Menu Bar.

Vishal_R · Answer

Hi naveen User Thank you for reaching out to the Sophos community team. As of now I suspect or assume Firewall side rule settings are proper only and no allow rule there then another possible reason could be the Telegram connection/session was already active before the SSL VPN was connected, due to that the application traffic will continue using that previous route instead of the default route over the tunnel adapter. 
 Maybe you can wait for a few min. 10-15 minutes to see if that route cache expires OR You may run arp -d (In end machine) from the command prompt after the SSL VPN tunnel is established. Then see if the Telegram application sends and receives messages fails. 
 Please note the SSL VPN will not tear down the existing session of the end machine. 
 You may narrow down the issue/situation further as per below to validate on this: 
 1)Please ensure all sessions of the Telegram application are closed on the machine. From the same machine connect SSL VPN and post this procedure start the Telegram application. 
 ->In this test case, Please confirm Telegram application sends and receives messages working or not. 
 2)Please ensure SSL VPN is in a disconnected state in the machine and Open the telegram application and wait till it's getting connected to the server. Now, connect the SSL VPN, and confirm the application can send and receive messages. 
 If Point 1) test case is preventing the Telegram Application connection ( send and receive messages) all the time then it is expected as you have not allowed VPN to WAN traffic over Firewall. 
 If Point 2) test case matches your scenario then as mentioned above SSL VPN will not tear down the existing session and due to that it is expected active connection will work as it is from the system default adapter (LAN/WiFi). 
 For packet-related details, You may install Wirehshark on to end machine and open two Wireshark sessions in the machine 1) one session for capturing traffic on the default interface (LAN/WiFi) and 2) the second session for capturing traffic over the SSL VPN adapter. 
 You may validate traffic for Telegram passing through which adapter during the above test cases. Note: You may also check "Local Address" details under the Windows Resource Monitor > Network > TCP Connection during the above test to see from which local address the app is connected to the server.

hen the VPN is connected with firewall just the local application/network should be accessible.

Top Replies