Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 0 replies
  • Subscribers 29 subscribers
  • Views 5464 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Troubleshoot a broken application in SFOS

LuCar Toni

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This recommended read describes the following application or a certain connection not working and seeing "Invalid Traffic" within the firewall Log Viewer.

This could be related to an issue with the firewall. Here are some steps to troubleshoot this issue. 

Invalid Traffic

Invalid Traffic does not mean the firewall is closing the connection. See Invalid traffic events.

This could be an application closing the connection for several reasons. For example, the user is typing the wrong credentials into the application. This can result in a closed connection. Certain applications, such as "Bursting," close the connection. Those bursts are likely logged in the firewall as "Invalid traffic."

Troubleshooting

You should check the firewall for matching firewall and NAT rules. The first step is to go to the Log Viewer and check for a green connection based on the firewall. If the firewall allows the connection, it’s doing the correct job. 

The next step is to move to "Detailed View":

The Detailed View lists all the different modules involved in one view. It is helpful to look for the entire connection to determine which modules are active. 

Here, we see the firewall allowing the traffic, the DPI engine not decrypting, and the web filter allowing the traffic. If there were an IPS alert that's dropping the connection, it would be listed here. If there’s an ATP/IPS Alert, you need to decide if it’s a false positive, configure an Exception, or take action based on your research. 

Additional Troubleshooting steps

If the connection is green on all levels and is still not working, you can try the following settings to see if it helps:

1. Try to bypass the ATP for this specific firewall rule:

2. Try to turn off the entire DPI engine under Protect > Rules and policies > SSL/TLS inspection rules > SSL/TLS Inspection Settings > Advance Settings

3. Try to turn off the Fastpath Engine: From the Console (Option 4 in CLI), type: system firewall-acceleration disable

If you see an issue with a certain application and other tools like ping, DNS lookup, etc., are working fine, you can look at the packet capture: 

Packet Capture is a valuable tool in the WebAdmin to see if the connection on a TCP/UDP level is working. 



Revamped RR
[edited by: Erick Jan at 9:03 AM (GMT -7) on 17 Sep 2024]
Unfiltered HTML