Sophos Firewall: Troubleshooting network and connectivity issues

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This guide describes network and connectivity issues and the possible remediation.

The following sections are covered:

Information

Most of the connectivity-related issues arise at the following levels:

Physical

  • Make sure there are no physical connectivity issues such as loose or damaged cables/ports. Ping the loopback address 127.0.0.1 of the local device to test its connectivity with the NIC and a public IP such as 8.8.8.8 or Microsoft.com. You might have to allow ICMP temporarily for testing if it is blocked at the firewall.
  • Sometimes WLAN and LAN drivers are also the cause based on which source they were obtained from. If it is a USB NIC, unsafe removal corrupts the driver/hardware just like USB drives and memory cards.
  • Wi-Fi is well known for increased latency. Slow speeds and connection drops due to technological and geographical differences between the access point and the devices.

Summary: Check cabling, ports for damage, signal strength, hardware, power, and driver-related issues.

 

Computer

  • Modified host file on Windows or iptables on Linux
  • Misconfigured details in network adaptors or local firewall
  • Limitation of the available hardware or technology on the device
  • MAC address is changed by the user
  • Misconfigured half-duplex or bandwidth is set to 100mbit whereas it is not synced with the device on the other end of the wire causing packet drops, resulting in persistently slow connectivity.

 

Switch

  • Connectivity issues also occur if there is an IP address conflict, or the MAC address was modified manually, where the router/switch might get confused for the actual port of the given IP or MAC address. The CAM table of your DHCP server/switch might be helpful for indicators. A slow website browsing experience is also a good indicator of an IP or MAC address conflict.
  • A network engineer may get confused with ports and may plug a device into unwanted ports resulting in the device being part of a different VLAN and causing connectivity issues.
  • If a device is part of a different VLAN/subnet, one must allow traffic via a switch by configuring the port in trunking mode to allow dot1q intra-VLAN traffic. Proper routing on the router/firewall and firewall rules.
  • If there is persistent slow connectivity, requiring reloads, and ping times out, it is possibly due to a misconfigured duplex or bandwidth.

 

Summary: Switches/Hubs/Routers are responsible for allowing local connectivity first if physical connectivity is ruled out.

 

DNS

  • If there is an in-house DNS it is likely missing entries for the destination device or is obsolete. We can advise updating with new definitions from authentic sources or changing to public DNS with the web filtering/control feature turned on on the firewall for control over connectivity.
  • ISP’s DNS servers are well known for resolution and timeout-related issues.
  • Test for connectivity to the DNS server if its IP address is available to check for packet drops.
  • If we can ping the IP address, but not the hostname, the issue is then related to DNS.
  • If communication is done locally via hostnames, connectivity issues with the DC and DNS servers might affect the outcome.

DHCP

  • The DHCP server is responsible for allocating an IP address, gateway, DNS, and so on.
  • If the device is getting an IP address within the range 169.254.0.1 to 169.254.255.254, the issue is related to DHCP.
  • A misconfigured DHCP server can cause a lot of connectivity-related issues causing conflict with duplicate IP addresses being allocated, incorrect DNS/gateway entry or its own downtime can result in an intermittent network outage
  • If the DHCP’s available IP address pool is unmanaged then it can lead to downtime for new devices, as well as for existing devices once their lease expires.

NAT

Source NAT is responsible for allowing corporate’s internal devices to reach the internet without having to purchase additional public IP addresses or connections for each individual device, whereas NATting is done for the internal device so they can reach out to the internet.

Destination NAT is used to allow users from the internet to utilize an organization's server which is located in their internal network without having to pay for a static IP address. It can also help map multiple servers to a single static IP address, for example, DHCP, DNS, Web, VPN, File, FTP, and so on can be mapped to one single public IP address.

  • If there is an issue with NAT, all devices would have their private IP address and network details from the DHCP and would be able to communicate with each other, however, they will not be able to reach out to the internet.
  • If a server is reachable from the local network but is inaccessible from the internet, it is a DNAT issue.
  • Once NAT is configured, one may need to configure additional routes and firewall rules on their firewall depending on the architecture of the firewall.
  • NAT when used with SSL or IPsec VPN requires additional configuration for routes, firewall rules, and the network’s connectivity with other servers such as DNS, DHCP, and DC for proper connectivity.

Summary: Switches handle the delivery of packets to individual devices, thereafter some devices turn on the identification of each device across the local network on a predefined configuration. It is also the foundation for connectivity to internet services.

 

Firewall

This allows fine-grained control over intranet and internet communication.

  • Web filter: Controls what category of websites are allowed. If a website times out, a web filter is most likely in place.
  • Application filter: Controls what applications are allowed based on it is signatures. If specific ports, protocols, or apps fail to communicate, app control is most likely misconfigured.
  • IPS: Blocks communication based on predefined patterns called signatures, which may be considered malicious.
  • Antivirus: Scans files and web content for malicious entries.
  • HSTS and SSL/TLS scanning: HTTP Strict Transport Security is used to prevent man-in-the-middle (MITM) attacks. Firewalls do MITM to scan HTTPS encrypted communication.
  • VPN: Firewalls create SSL and IPsec VPNs which require further configuration in routes, NAT, and policies to allow communication. Partially working connectivity is an example of a split tunnel VPN issue.
  • Data loss prevention: Scans file content or file extension and may block them as configured.
  • Firewall rules: It is a general recommendation to make sure connection is explicitly allowed for it to work, as, by default, the firewall blocks everything implicitly.
  • NAT and route: Perform NATting and routing across VLANs as well as the internet.
  • Quality of service or traffic shaping is a term for limiting bandwidth for each individual node for even distribution.
  • A firewall can also act as a server such as LDAP, DHCP, DNS, RADIUS, or SSO, so any misconfiguration in the same could affect the outcome.
  • A firewall can do DNS, content, VoIP, or web app filter, ZTNA, proxying, SD-WAN, user authentication, managing wireless access points, and more
  • Each firewall has its own way of allowing or blocking some features. Identifying a set of services such as Amazon AWS, while others do not.
    • Fortigate firewall supports ISDB where you just need to select Amazon AWS, and all its domains and services would be allowed. It also supports the wildcard format
    • Cisco Meraki firewall has a different method of allowing entries using the wildcard format. For example, you need to keep abc.com and to allow in wildcard format, it is *.abc.com/*

      For more information, see Cisco: Wildcards and Destination Lists.
    • Sophos Firewall: Supports wildcard format
    • Palo Alto: Does not support wildcard format
    • Sonicwall: Supports wildcard format
    • Checkpoint: Supports wildcard format
    • Watchguard:
    • pfSense:

Summary: A firewall consists of various security controls and network features, NAT, route, firewall policies/rules, and VPN. It can also act as a DHCP, DNS, Gateway, Switch, or UTM, all of which require a review for potential misconfiguration. For root cause analysis, firewall logging is a must. Firewalls also support packet capture and verbose debugging for in-depth analysis.

 

ISP

  • Some ISP restricts specific domains and protocols. Common issues are related to DNS, outages, routing, or latency.
  • Check for any additional network filtering technologies that you might be using other than those mentioned above.
  • A software firewall might be installed on the device that can cause conflict or misconfiguration.
  • The web browsing experience might be affected by specific browsers, their network settings, extensions, or add-ons.

 

Tools

  • Ping
  • Traceroute/tracert: A third-party tool called PingPlotter is highly used to identify issues in routing after a packet leaves your network. pathping/MTR is also an alternative.
  • Netstat
  • arp
  • Nslookup
  • telnet: If the telnet client is turned on, it can be used to test ports and connectivity, for example, doing a telnet on TCP port 443. We can also use PuTTY.
  • The tnc command in PowerShell
  • To reset the network:

    • ipconfig /release
    • ipconfig /flushdns
    • netsh int ip reset
    • netsh winsock reset
    • ipconfig /renew

    A restart is mandatory.
     
  • TCPView
  • Wireshark

Related information

Sophos Firewall documentation

Sign up to the Sophos Support Notification Service to get the latest product release information and critical issues.



Title formatting
[edited by: Yashraj at 11:33 AM (GMT -7) on 19 Sep 2022]