Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Replies 13 replies
  • Subscribers 41 subscribers
  • Views 3692 views
  • Users 0 members are here
Options
Suggested

Integrate synthetic allowlist in a rule without WAF

Oliver Schnürer

Dear community,

As a firewall noob I am wondering how to integrate a dynamically changing list of IPs into an allowlist for a specific firewall rule.

As a home user I unfortunately have no access to the "Web protection subscription", only "Base Firewall".

The aim is to allow Grafana Cloud servers to periodically poll data from my internal Prometheus instance on a specific web server port. This actually works with a firewall rule set to

Source zone WAN: any,

Source network: any

Destination zone: LAN,

Destination network: any,

Services "prometheus HTTPS" (TCP Destination Port 9090)

and three corresponding NAT-rules created by the NAT wizard  

Obviously I do not want to publish the Prometheus data to the whole internet, so I want to restrict the access to certain known IP-addresses, so "Source network and devices" within a firewall rule would be the right place to add Grafana's IPs. Unfortunately the IPs are from *.bc.googleusercontent.com and therefore subject to change dynamically.

The DNS-record "src-ips.hosted-grafana.grafana.net" resolves to more than 100 IPv4 and quite as much IPv6-addresses, but when I put that record into Source network (DNS-Address) the Grafana service cannot reach my internal server.

Most probably I am missing a point where to put the DNs-Record for the IP list into apart from „,Source networks and devices“, can you help me in finding it?

Thanks in advance,

Oliver



Added FR TAG
[edited by: Erick Jan at 10:59 AM (GMT -7) on 1 Aug 2024]
Parents Reply Children
  • 0 in reply to rfcat_vk

    Hi Ian,

    slightly off-topic, but:

    to install a home license on recycled hardware I need to erase the installed HD and reinstall from scratch, as mentioned here:  Sophos Home Firewall Edition - How to get it licensed?

    Does it help to reinstall the saved configuration or will I have to configure the XGS115w manually from scratch then?

    Cheers, Oliver

  • 0 in reply to Oliver Schnürer

    Hello  ,

    yes, you have to format (wipe) the whole hard disk or simply install another one. SSD preferred.

    To use your current config:
    0) update your current installation to the latest SFOS version
    1) backup your current installation
    2) get a new home license
    3) wipe your current SSD or install another (clean/wiped) one
    4) install SFOS (matching the version you had already installed on the "old" system) with the _software_ installer
    5) use your new home license from step 2 on the installer
    6) restore your config from step 1

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 20.0 MR 1

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Thomas_XG

    Hi Thomas,

    thanks for your swift reply!

    As for the steps to follow - 0) and 1) are pretty easy and already accomplished.

    With step 2) my issues begin: where do I get a new home license?

    In step 3) do I wipe the SSD on the XGS116 CLI? Is that sufficient or do I have to do a more complete wipe using gParted as mentioned in this thread: Sophos Home License - XGS  (this thread looks somewhat disturbing, mentioning wiping the SSD, installing CentOS and then the SFOS)

    Step 4) the latest available software download is SW-20.0.2_MR-2-378.iso , which is in-sync with my currently installed SFOS and the config-backup, so no issue here.

    Step 5) depends on getting a home license in step 2) so once that is sorted, it's ok.

    Step 6) restore can be done with the saved config, fine.

    Can you please be so kind to point me to an URL where I can create / download a home license key?

    Do you have by any chance a more detailed explanation of step 3)? 

    Thanks in advance,

    Oliver

  • 0 in reply to rfcat_vk

    Hi Ian,

    thanks for your recommendation. 
    Looking at your signature it seems you got almost the setup I am trying to reach: running Home Edition ona Sophos Firewall appliance - only that I got the XGS instead of XG. 
    In RE: Sophos Firewall Home it is mentioned that neither formatting the internal drive nor replacing it with a new SSD will work. 
    I think I am just stuck then for the tome being? 

    Cheers,

    Oliver

  • +1 in reply to Oliver Schnürer

    Hi Oliver,

    I am not sure about the home licence on an XGS because there is a piece of hardware in the traffic path that I am not sure is supported by the home licence and that is the NUC.

    My XG115W is not a home licence but a supported licence.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v20.0.2 MR-2

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML