Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Integrate synthetic allowlist in a rule without WAF

Dear community,

As a firewall noob I am wondering how to integrate a dynamically changing list of IPs into an allowlist for a specific firewall rule.

As a home user I unfortunately have no access to the "Web protection subscription", only "Base Firewall".

The aim is to allow Grafana Cloud servers to periodically poll data from my internal Prometheus instance on a specific web server port. This actually works with a firewall rule set to

Source zone WAN: any,

Source network: any

Destination zone: LAN,

Destination network: any,

Services "prometheus HTTPS" (TCP Destination Port 9090)

and three corresponding NAT-rules created by the NAT wizard  

Obviously I do not want to publish the Prometheus data to the whole internet, so I want to restrict the access to certain known IP-addresses, so "Source network and devices" within a firewall rule would be the right place to add Grafana's IPs. Unfortunately the IPs are from *.bc.googleusercontent.com and therefore subject to change dynamically.

The DNS-record "src-ips.hosted-grafana.grafana.net" resolves to more than 100 IPv4 and quite as much IPv6-addresses, but when I put that record into Source network (DNS-Address) the Grafana service cannot reach my internal server.

Most probably I am missing a point where to put the DNs-Record for the IP list into apart from „,Source networks and devices“, can you help me in finding it?

Thanks in advance,

Oliver



This thread was automatically locked due to age.
Parents
  • Hello Oliver,

    Good day and thanks for reaching out to Sophos Community. 

    I believe the feature you're specifically looking for your objective  isn’t yet available on Sophos Firewall and is still under Feature Request - SFSW-I-2023 - Using External Dynamic List for IP, FQDNs and Services.

    No ETA yet for the feature. Since you're a home user and wouldn't be able to request this through your Sophos account, is to be on the lookout in Sophos Community for - release notes,  Blogs, and Forums that might contain any updates about this feature.

    Hope this helps. 

    Thank you

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Dear Mayur, Raphael,

    thanks for your responses! Pity this one does not work at the moment. So I will wait for this feature maybe to come and in the meantime fill the IP list manually.

    Thanks again,

    Oliver

Reply Children
No Data