Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 41 subscribers
  • Views 3908 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Integrate synthetic allowlist in a rule without WAF

Oliver Schnürer

Dear community,

As a firewall noob I am wondering how to integrate a dynamically changing list of IPs into an allowlist for a specific firewall rule.

As a home user I unfortunately have no access to the "Web protection subscription", only "Base Firewall".

The aim is to allow Grafana Cloud servers to periodically poll data from my internal Prometheus instance on a specific web server port. This actually works with a firewall rule set to

Source zone WAN: any,

Source network: any

Destination zone: LAN,

Destination network: any,

Services "prometheus HTTPS" (TCP Destination Port 9090)

and three corresponding NAT-rules created by the NAT wizard  

Obviously I do not want to publish the Prometheus data to the whole internet, so I want to restrict the access to certain known IP-addresses, so "Source network and devices" within a firewall rule would be the right place to add Grafana's IPs. Unfortunately the IPs are from *.bc.googleusercontent.com and therefore subject to change dynamically.

The DNS-record "src-ips.hosted-grafana.grafana.net" resolves to more than 100 IPv4 and quite as much IPv6-addresses, but when I put that record into Source network (DNS-Address) the Grafana service cannot reach my internal server.

Most probably I am missing a point where to put the DNs-Record for the IP list into apart from „,Source networks and devices“, can you help me in finding it?

Thanks in advance,

Oliver



This thread was automatically locked due to age.
  • 0 in reply to Thomas_XG

    Hi Thomas,

    thanks for your swift reply!

    As for the steps to follow - 0) and 1) are pretty easy and already accomplished.

    With step 2) my issues begin: where do I get a new home license?

    In step 3) do I wipe the SSD on the XGS116 CLI? Is that sufficient or do I have to do a more complete wipe using gParted as mentioned in this thread: Sophos Home License - XGS  (this thread looks somewhat disturbing, mentioning wiping the SSD, installing CentOS and then the SFOS)

    Step 4) the latest available software download is SW-20.0.2_MR-2-378.iso , which is in-sync with my currently installed SFOS and the config-backup, so no issue here.

    Step 5) depends on getting a home license in step 2) so once that is sorted, it's ok.

    Step 6) restore can be done with the saved config, fine.

    Can you please be so kind to point me to an URL where I can create / download a home license key?

    Do you have by any chance a more detailed explanation of step 3)? 

    Thanks in advance,

    Oliver

  • 0 in reply to rfcat_vk

    Hi Ian,

    thanks for your recommendation. 
    Looking at your signature it seems you got almost the setup I am trying to reach: running Home Edition ona Sophos Firewall appliance - only that I got the XGS instead of XG. 
    In RE: Sophos Firewall Home it is mentioned that neither formatting the internal drive nor replacing it with a new SSD will work. 
    I think I am just stuck then for the tome being? 

    Cheers,

    Oliver

  • +1 in reply to Oliver Schnürer

    Hi Oliver,

    I am not sure about the home licence on an XGS because there is a piece of hardware in the traffic path that I am not sure is supported by the home licence and that is the NUC.

    My XG115W is not a home licence but a supported licence.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML