Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 39 subscribers
  • Views 896 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS firewall Rule Configuration

Yuvraj Singh

Hii Community,

I configured a firewall rule for VPN to LAN connection and another for LAN to WAN connection, attaching a NAT rule with MASQ for internet access. Despite this, I could establish a VPN connection with the Sophos Connect client but couldn't perform any actions like SSH or ping.

When I removed the above two rules and created a rule to allow VPN to WAN, everything worked as expected.

Could you review my configuration and suggest any changes to ensure that my VPN to LAN and LAN to WAN firewall rules work properly?

I have attached screenshots for reference.


Thank You.



This thread was automatically locked due to age.
Parents
  • +1

    Hello  ,

    I could see that the LAN to WAN and VPN to LAN rules are proper. With VPN to LAN rule, you shall only be able to access the local resources shared. 

    Are you using full tunnel or split tunnel in VPN? if its full tunnel, we will need VPN to WAN rule with the NAT applied to route the internet via firewall for the VPN client.

    Also, you may capture the tcpdump/drop while recreating the issue. You may paste the tcpdump and drop packet capture here for the review.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

Reply
  • +1

    Hello  ,

    I could see that the LAN to WAN and VPN to LAN rules are proper. With VPN to LAN rule, you shall only be able to access the local resources shared. 

    Are you using full tunnel or split tunnel in VPN? if its full tunnel, we will need VPN to WAN rule with the NAT applied to route the internet via firewall for the VPN client.

    Also, you may capture the tcpdump/drop while recreating the issue. You may paste the tcpdump and drop packet capture here for the review.

    Mayur Makvana
    Technical Account Manager | Global Customer Experience
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question please use the 'Verify Answer' button.

Children
Unfiltered HTML