Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Rule Doesn´t Work Сorrectly

Good afternoon I work at Virtual Box. I have three virtual machines. The first is the Sophos firewall, the second is the Windows 10 client. And on the third I have an Ubuntu server.

The task is to block traffic from the Windows 10 client to the Ubunu server, while creating a firewall policy.

I did everything right but it doesn’t work for me, the task is to block ping from Windows 10 to the Ubuntu server. All three virtual machines are located on a common network.

1. Here is my Sophos IP.

2. This is Windows 10 Cliente IP

3. And Ubuntu Server IP

4. And this is my Policy Firewall, so this policy needs to block all internet traffic and also LAN traffic.

5. Here you can see thas is activated.

6. If I go to www.google.com for example. This Policy is working exactly.

7. But If I try to do ping from Windows 10 client (LAN) to Ubuntu Server (LAN) it working, but shouldn't be work.

Please, help me! I'm glad for anu help!



This thread was automatically locked due to age.
Parents
  • Sorry, but it looks like you’re missing some basic network-knowledge.

    Your VMs can communicate because they’re within the same Network/Subnet. Within the same Subnet alle devices will communicate directly and do not route traffic through gateway.

    Due to this - traffic will never pass your Sophos Firewall / Gateway.
    Only Traffic to WAN will be sent there - that’s why blocking google works.

    You should create another network on another Port of your Sophos Firewall and connect one VM to that Network.
    Then traffic between those multiple internal networks can pass gateway/firewall.

  • Hello FFin. The fact is that I want to install an Ubuntu server in the DMZ, and do it in Sophos. And also the Windows 10 client must send traffic through this firewall, and the firewall must block this traffic that goes to the DMZ. The Ubunut server should be running in the DMZ and the traffic should be blocked.

    I tried to do this without the DMZ, but if you’re right, then there really won’t be any traffic flowing through.

    What configurations do I need to fix? Let's change the IP or ports.

  • Looking good.

    When you connect with PortC everything should be fine as Sophos has 10.0.0.254 in that network. So both are within same subnet.

    But you might need another firewall-rule from DMZ to WAN. And of course LAN to DMZ and DMZ to LAN to communicate between Windows 10 and Ubuntu.

  • For some reason the ping is not working, is there something missing in the configuration or am I doing something wrong?

  • PortC says “unplugged” so you haven’t connected Ubuntu VM to Sophos PortC yet.

  • Now is connected, but ping doesn't work. Also I don't have internet in Ubuntu Server. I'm trying to connect www.google.com

  • Hello,

    Have you modified the Drop all rule you put on top of the Rules?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • This is my "Rules and policies". At the moment I don´t have any active rules. May I create one of them or first try to connect from Ubuntu Server to the Sophos IP 172.16.16.16?

  • Create one Rule: Source Zone: DMZ, Network: Any, Destination Zone: WAN, Network: Any.

    You will not reach Sophos WebAdmin on 172.16.16.16 from Ubuntu. Just 10.0.0.254 because that’s Sophos IP in Ubuntu Network.
    But you need to allow Sophos Access from DMZ Zone in System - Administration - Device Access.

    Then run ”traceroute 8.8.8.8” from Ubuntu and see how far it goes…

    Hopefully Ubuntu is connected to PortC correctly

  • So I have create one this rule, it is correct? Are there any other policies created that may not be displayed if they have the automatic group role? So If you now how to display this rules.

  • This is tracert result.

  • Great - Trace is fine, so you have internet!

    Now create Rule from Source Zone LAN to Destination Zone DMZ and try to ping/access Ubuntu (10.0.0.10) from Windows 10.

    To expand grouped rules just press ‘+’ on the left of these groups. Or just delete them.

Reply
  • Great - Trace is fine, so you have internet!

    Now create Rule from Source Zone LAN to Destination Zone DMZ and try to ping/access Ubuntu (10.0.0.10) from Windows 10.

    To expand grouped rules just press ‘+’ on the left of these groups. Or just delete them.

Children