Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Integrate synthetic allowlist in a rule without WAF

Dear community,

As a firewall noob I am wondering how to integrate a dynamically changing list of IPs into an allowlist for a specific firewall rule.

As a home user I unfortunately have no access to the "Web protection subscription", only "Base Firewall".

The aim is to allow Grafana Cloud servers to periodically poll data from my internal Prometheus instance on a specific web server port. This actually works with a firewall rule set to

Source zone WAN: any,

Source network: any

Destination zone: LAN,

Destination network: any,

Services "prometheus HTTPS" (TCP Destination Port 9090)

and three corresponding NAT-rules created by the NAT wizard  

Obviously I do not want to publish the Prometheus data to the whole internet, so I want to restrict the access to certain known IP-addresses, so "Source network and devices" within a firewall rule would be the right place to add Grafana's IPs. Unfortunately the IPs are from *.bc.googleusercontent.com and therefore subject to change dynamically.

The DNS-record "src-ips.hosted-grafana.grafana.net" resolves to more than 100 IPv4 and quite as much IPv6-addresses, but when I put that record into Source network (DNS-Address) the Grafana service cannot reach my internal server.

Most probably I am missing a point where to put the DNs-Record for the IP list into apart from „,Source networks and devices“, can you help me in finding it?

Thanks in advance,

Oliver



This thread was automatically locked due to age.
Parents Reply
  • Hi Oliver,

    sales will not be able to help you because you are a home user, all licences are evaluation. I still think you are using the wrong licence. Please try creating a new home licence .

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Hi Ian,

    slightly off-topic, but:

    to install a home license on recycled hardware I need to erase the installed HD and reinstall from scratch, as mentioned here:  Sophos Home Firewall Edition - How to get it licensed?

    Does it help to reinstall the saved configuration or will I have to configure the XGS115w manually from scratch then?

    Cheers, Oliver

  • Hello  ,

    yes, you have to format (wipe) the whole hard disk or simply install another one. SSD preferred.

    To use your current config:
    0) update your current installation to the latest SFOS version
    1) backup your current installation
    2) get a new home license
    3) wipe your current SSD or install another (clean/wiped) one
    4) install SFOS (matching the version you had already installed on the "old" system) with the _software_ installer
    5) use your new home license from step 2 on the installer
    6) restore your config from step 1

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 20.0 MR 1

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Thomas,

    thanks for your swift reply!

    As for the steps to follow - 0) and 1) are pretty easy and already accomplished.

    With step 2) my issues begin: where do I get a new home license?

    In step 3) do I wipe the SSD on the XGS116 CLI? Is that sufficient or do I have to do a more complete wipe using gParted as mentioned in this thread: Sophos Home License - XGS  (this thread looks somewhat disturbing, mentioning wiping the SSD, installing CentOS and then the SFOS)

    Step 4) the latest available software download is SW-20.0.2_MR-2-378.iso , which is in-sync with my currently installed SFOS and the config-backup, so no issue here.

    Step 5) depends on getting a home license in step 2) so once that is sorted, it's ok.

    Step 6) restore can be done with the saved config, fine.

    Can you please be so kind to point me to an URL where I can create / download a home license key?

    Do you have by any chance a more detailed explanation of step 3)? 

    Thanks in advance,

    Oliver

  • Hi Ian,

    thanks for your recommendation. 
    Looking at your signature it seems you got almost the setup I am trying to reach: running Home Edition ona Sophos Firewall appliance - only that I got the XGS instead of XG. 
    In RE: Sophos Firewall Home it is mentioned that neither formatting the internal drive nor replacing it with a new SSD will work. 
    I think I am just stuck then for the tome being? 

    Cheers,

    Oliver

  • Hi Oliver,

    I am not sure about the home licence on an XGS because there is a piece of hardware in the traffic path that I am not sure is supported by the home licence and that is the NUC.

    My XG115W is not a home licence but a supported licence.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.