Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Integrate synthetic allowlist in a rule without WAF

Dear community,

As a firewall noob I am wondering how to integrate a dynamically changing list of IPs into an allowlist for a specific firewall rule.

As a home user I unfortunately have no access to the "Web protection subscription", only "Base Firewall".

The aim is to allow Grafana Cloud servers to periodically poll data from my internal Prometheus instance on a specific web server port. This actually works with a firewall rule set to

Source zone WAN: any,

Source network: any

Destination zone: LAN,

Destination network: any,

Services "prometheus HTTPS" (TCP Destination Port 9090)

and three corresponding NAT-rules created by the NAT wizard  

Obviously I do not want to publish the Prometheus data to the whole internet, so I want to restrict the access to certain known IP-addresses, so "Source network and devices" within a firewall rule would be the right place to add Grafana's IPs. Unfortunately the IPs are from *.bc.googleusercontent.com and therefore subject to change dynamically.

The DNS-record "src-ips.hosted-grafana.grafana.net" resolves to more than 100 IPv4 and quite as much IPv6-addresses, but when I put that record into Source network (DNS-Address) the Grafana service cannot reach my internal server.

Most probably I am missing a point where to put the DNs-Record for the IP list into apart from „,Source networks and devices“, can you help me in finding it?

Thanks in advance,

Oliver



This thread was automatically locked due to age.
Parents Reply Children
  • Hello  ,

    yes, you have to format (wipe) the whole hard disk or simply install another one. SSD preferred.

    To use your current config:
    0) update your current installation to the latest SFOS version
    1) backup your current installation
    2) get a new home license
    3) wipe your current SSD or install another (clean/wiped) one
    4) install SFOS (matching the version you had already installed on the "old" system) with the _software_ installer
    5) use your new home license from step 2 on the installer
    6) restore your config from step 1

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 20.0 MR 1

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Thomas,

    thanks for your swift reply!

    As for the steps to follow - 0) and 1) are pretty easy and already accomplished.

    With step 2) my issues begin: where do I get a new home license?

    In step 3) do I wipe the SSD on the XGS116 CLI? Is that sufficient or do I have to do a more complete wipe using gParted as mentioned in this thread: Sophos Home License - XGS  (this thread looks somewhat disturbing, mentioning wiping the SSD, installing CentOS and then the SFOS)

    Step 4) the latest available software download is SW-20.0.2_MR-2-378.iso , which is in-sync with my currently installed SFOS and the config-backup, so no issue here.

    Step 5) depends on getting a home license in step 2) so once that is sorted, it's ok.

    Step 6) restore can be done with the saved config, fine.

    Can you please be so kind to point me to an URL where I can create / download a home license key?

    Do you have by any chance a more detailed explanation of step 3)? 

    Thanks in advance,

    Oliver