Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bloqueio a autenticação dos sites gov.br

Prezados,  utilizamos o Sophos XG 135, com ultimo firmware aplicado.

Estou tendo problemas ao atutenticar nos sites do gov.br

Como exemplo a URL:https://sso.acesso.gov.br/login?client_id=www.gov.br&authorization_id=18d47433c8d

Recebo aviso de time out  aleatoriamente

Não existem regras de bloqueio. Ja fiz fiz regra para  bypass ao *.gov.br mas problema continua.

Conectado direto no isp, fora do sophos a conexão ocorre normalmente.



This thread was automatically locked due to age.
Parents
  • Hallo VLC INDÚSTRIA,

    Please check with the firewall rule "Plain" whether a security function as described below is applied on one of the source systems:

    If the website is working, there is a problem with the firewall security feature. Check the logs under Log Viewer and allow deny logs for web filters, application filters, IPS, SSL/TLS inspection logs.

    Apply the security policy one  by one on test firewall rule same as on firewall rule on which the traffic is passing

    If you found an issue with HTTP/S scanning, you can add it under Exceptions.

    Run tcpdump and drop packet capture under device console

    See link: docs.sophos.com/.../index.html

    console>tcpdump 'sso.acesso.gov.br

    console>dr 'sso.acesso.gov.br

    Best regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Hello, thank you for getting back to me. I still haven't managed to solve the issue. As mentioned, I'm using the XG 135 with the latest firmware applied. The XG allows internet access via MAC address rules with content filtering applied ( web proxy).ve created a rule allowing access for my computer and the destination website, yet the access still isn't happening. 

    I have 3 WAN links in load balance configuration. Even when I set up the rule to use only one of the links for outgoing traffic, the issue still persists.

    It's very strange because after several attempts or refreshing the page (pressing F5), the URL responds.

    In the logs, looking at the bypass rule for my IP, here's the result shown in the screenshot:

    I've already disabled HTTPS inspection, SSL, tried a bit of everything, and still haven't succeeded.

    "Thank you for the help. I apologize for the English, I used a translator."

Reply
  • Hello, thank you for getting back to me. I still haven't managed to solve the issue. As mentioned, I'm using the XG 135 with the latest firmware applied. The XG allows internet access via MAC address rules with content filtering applied ( web proxy).ve created a rule allowing access for my computer and the destination website, yet the access still isn't happening. 

    I have 3 WAN links in load balance configuration. Even when I set up the rule to use only one of the links for outgoing traffic, the issue still persists.

    It's very strange because after several attempts or refreshing the page (pressing F5), the URL responds.

    In the logs, looking at the bypass rule for my IP, here's the result shown in the screenshot:

    I've already disabled HTTPS inspection, SSL, tried a bit of everything, and still haven't succeeded.

    "Thank you for the help. I apologize for the English, I used a translator."

Children
  • Traffic is not getting forwarded. For tshoot add NAT rule with position on TOP as below.

    Also, add firewall rule as guided above. It seems the firewall rule is not getting hit properly with NAT rule to confirm start packet capture from GUI as well.

    All WAN is Active under WAN link Manager ?

    Share output  for tcpdump and drop packet capture 

    You can jump from advanced shell to console by using the command: 

    # cish 

    console>tcpdump 'sso.acesso.gov.br

    console>dr 'sso.acesso.gov.br 

    Duplicate SSH session to run drop packet capture with tcpdump.

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Hello, thank you for getting back to me. The issue was resolved after the ISP provider changed the WAN IP, there was some problem on their end when connected to Sophos. Your support and patience in helping were greatly appreciated. Thank you.

  • Expected ! If you have plain firewall rule and NAT kept on TOP and packet is going out from WAN interface no IN packet yes there  is always issue from ISP end.

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.