It was part of my attempt to create a more well defined zone to zone rule. I am not familiar with the VoIP system, inherited it from another MSP. I am replacing an old Sonicwall with a Sophos and these phones were not connecting. The Phone server is on another vlan. Added the any/any and they connected, so I was looking at packet capture to narrow down what that well defined zone to zone rule needed. When I added the new rules and turned off the any/any, the phones disconnected again. I turned off the new rules and renabled the any/any and the phone was still getting blocked. I had to call into support, and after they did some troubleshooting they had to do some back end stuff using SSH to fix it. Problem statement Facing issues in VLAN communication. Steps Taken We checked that you were not able to connect to the PBX server which is behind the VLAN1:100. SRC IP: 192.168.20.206 and PBX IP: 10.100.3.124 We could see the GUI PCAP and in that, it's showing the violation and the reason is FIrewall. We also checked the drop and tcpdump and in the tcpdump, we can see that the traffic forwarding fro VLAN 1:20 to VLAN 1:100 but we were not receiving any response. We flush the conntrack for the DST IP. After flushing the conntrack now PBX server is reachable and working fine. It is definetly frustrating that it would take something like this to fix the problem. How would someone like me who has not studied and mastered the CLI be able to figure this out? If I turn off or delete a rule using the GUI, I expect it to be turned off or deleted. The fact that any/any was still blocking something from a deleted rule is crazy. Sorry for the rant.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any/Any rule still showing Violation in packet capture

Ben Woolley 7 months ago

What did I do wrong?

This thread was automatically locked due to age.

Top Replies

Ben Woolley 7 months ago in reply to Vivek Jagad +3 suggested

It was part of my attempt to create a more well defined zone to zone rule. I am not familiar with the VoIP system, inherited it from another MSP. I am replacing an old Sonicwall with a Sophos and these…

Parents

0 Vivek Jagad 7 months ago

Hi Ben Woolley ,

Thank you for reaching out to the community, may we know the reason to add an any to any rule instead of a well defined zone to zone rule ?
REF - Add a NAT rule

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vivek Jagad 7 months ago

Hi Ben Woolley ,

Thank you for reaching out to the community, may we know the reason to add an any to any rule instead of a well defined zone to zone rule ?
REF - Add a NAT rule

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

+1 Ben Woolley 7 months ago in reply to Vivek Jagad
It was part of my attempt to create a more well defined zone to zone rule. I am not familiar with the VoIP system, inherited it from another MSP. I am replacing an old Sonicwall with a Sophos and these phones were not connecting. The Phone server is on another vlan. Added the any/any and they connected, so I was looking at packet capture to narrow down what that well defined zone to zone rule needed. When I added the new rules and turned off the any/any, the phones disconnected again. I turned off the new rules and renabled the any/any and the phone was still getting blocked.

I had to call into support, and after they did some troubleshooting they had to do some back end stuff using SSH to fix it.

Problem statement

Facing issues in VLAN communication.

Steps Taken

We checked that you were not able to connect to the PBX server which is behind the VLAN1:100.

SRC IP: 192.168.20.206 and PBX IP: 10.100.3.124

We could see the GUI PCAP and in that, it's showing the violation and the reason is FIrewall.

We also checked the drop and tcpdump and in the tcpdump, we can see that the traffic forwarding fro VLAN 1:20 to VLAN 1:100 but we were not receiving any response.

We flush the conntrack for the DST IP.

After flushing the conntrack now PBX server is reachable and working fine.

It is definetly frustrating that it would take something like this to fix the problem. How would someone like me who has not studied and mastered the CLI be able to figure this out? If I turn off or delete a rule using the GUI, I expect it to be turned off or deleted. The fact that any/any was still blocking something from a deleted rule is crazy.

Sorry for the rant.
Cancel
Vote Up +3 Vote Down

Cancel
0 rfcat_vk 7 months ago in reply to Ben Woolley

Hi,

if a device has an established connection, then disabling or deleting the rule will not drop the connection, this is from previous posts on similar subjects.

Ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Woolley 7 months ago in reply to rfcat_vk

I reset the phone several times while troubleshooting, not sure that is considered a reset of the connection.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni 7 months ago in reply to Ben Woolley

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/FirewallRules/VoIPTroubleshooting/index.html

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Ben Woolley 7 months ago in reply to LuCar Toni

Thanks for that, but I think you are still missing the point of my question. It was not specifically about VoIP behaving badly, but the fact that an ANY/ANY rule was still blocking traffic.
Cancel
Vote Up 0 Vote Down

Cancel