Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Troubleshooting network and connectivity issues

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Table Of Contents

Overview

This recommended read describes network and connectivity issues and the possible remediation.

Information

Most of the connectivity-related issues arise at the following levels:

Physical

  • Make sure there are no physical connectivity issues, such as loose or damaged cables/ports. Ping the loopback address 127.0.0.1 of the local device to test its connectivity with the NIC and a public IP such as 8.8.8.8 or Microsoft.com. If ICMP is blocked at the firewall, you might have to temporarily allow it for testing.
  • Sometimes, WLAN and LAN drivers are also the cause, depending on which source they were obtained from. If it is a USB NIC, unsafe removal corrupts the driver/hardware, just like USB drives and memory cards.
  • Wi-Fi is well known for increased latency. Slow speeds and connection drops due to technological and geographical differences between the access point and the devices.

Summary: Check cabling and ports for damage, signal strength, hardware, power, and driver-related issues.

Computer

  • Modified host file on Windows or iptables on Linux
  • Misconfigured details in network adaptors or local firewall
  • Limitation of the available hardware or technology on the device
  • The user changes MAC address
  • A misconfigured half-duplex or bandwidth is set to 100mbit, but it is not synced with the device on the other end of the wire, causing packet drops and persistently slow connectivity.

Switch

  • Connectivity issues also occur if there is an IP address conflict or the MAC address is modified manually, and the router/switch might get confused about the actual port of the given IP or MAC address. The CAM table of your DHCP server/switch might be helpful for indicators. A slow website browsing experience is also a good indicator of an IP or MAC address conflict.
  • A network engineer may get confused by ports and plug a device into unwanted ports, which makes the device part of a different VLAN and causes connectivity issues.
  • If a device is part of a different VLAN/subnet, one must allow traffic via a switch by configuring the port in trunking mode to allow dot1q intra-VLAN traffic. Proper routing on the router/firewall and firewall rules.
  • If persistent slow connectivity occurs, requiring reloads and ping times out, it is possibly due to a misconfigured duplex or bandwidth.

Summary: Switches, Hubs, and routers are responsible for allowing local connectivity first if physical connectivity is ruled out.

DNS

  • If there’s an in-house DNS, it’s likely missing entries for the destination device or is obsolete. We can advise updating with new definitions from authentic sources or changing to public DNS with the web filtering/control feature on the firewall for control over connectivity.
  • ISP’s DNS servers are well known for resolution and timeout-related issues.
  • Test for connectivity to the DNS server if its IP address is available to check for packet drops.
  • If we can ping the IP address but not the hostname, the issue will then be related to DNS.
  • If communication is done locally via hostnames, connectivity issues with the DC and DNS servers might affect the outcome.

DHCP

  • The DHCP server allocates an IP address, gateway, DNS, etc.
  • If the device gets an IP address within the range 169.254.0.1 to 169.254.255.254, the issue is related to DHCP.
  • A misconfigured DHCP server can cause many connectivity-related issues, such as conflict with duplicate IP addresses being allocated, incorrect DNS/gateway entry, or its own downtime, which can result in an intermittent network outage.
  • If the DHCP’s available IP address pool is unmanaged, it can lead to downtime for new devices and existing devices once their lease expires.

NAT

Source NAT is responsible for allowing corporate internal devices to reach the internet without purchasing additional public IP addresses or connections for each device. In contrast, NATting is done for the internal device so they can reach out to the internet.

Destination NAT is used to allow users from the internet to utilize an organization's server, which is located in their internal network, without having to pay for a static IP address. It can also help map multiple servers to a single static IP address. For example, DHCP, DNS, web, VPN, File, FTP, and so on can be mapped to one single public IP address.

  • If there’s an issue with NAT, all devices would have their private IP address and network details from the DHCP and would be able to communicate with each other. However, they won’t be able to reach out to the internet.
  • If a server is reachable from the local network but is inaccessible from the internet, it’s a DNAT issue.
  • Once NAT is configured, one may need to configure additional routes and firewall rules on their firewall, depending on the architecture of the firewall.
  • NAT when used with SSL or IPsec VPN requires additional configuration for routes, firewall rules, and the network’s connectivity with other servers such as DNS, DHCP, and DC for proper connectivity.

Summary: Switches handle the delivery of packets to individual devices; after that, some devices turn on the identification of each device across the local network on a predefined configuration. It’s also the foundation for connectivity to internet services.

Firewall

This allows fine-grained control over intranet and internet communication.

  • Web filter: Controls what category of websites are allowed. If a website times out, a web filter is most likely in place.
  • Application filter: Controls what applications are allowed based on it’s signatures. If specific ports, protocols, or apps fail to communicate, app control is most likely misconfigured.
  • IPS: Blocks communication based on predefined patterns called signatures, which may be considered malicious.
  • Antivirus: Scans files and web content for malicious entries.
  • HSTS and SSL/TLS scanning: HTTP Strict Transport Security is used to prevent man-in-the-middle (MITM) attacks. Firewalls do MITM to scan HTTPS-encrypted communication.
  • VPN: Firewalls create SSL and IPsec VPNs, which require further configuration in routes, NAT, and policies to allow communication. Partially working connectivity is an example of a split tunnel VPN issue.
  • Data loss prevention: Scans file content or file extension and may block them as configured.
  • Firewall rules: It is a general recommendation to make sure a connection is explicitly allowed for it to work, as, by default, the firewall blocks everything implicitly.
  • NAT and route: Perform NATting and routing across VLANs as well as the internet.
  • Quality of service or traffic shaping is a term for limiting bandwidth for each node for even distribution.
  • A firewall can also act as a server, such as LDAP, DHCP, DNS, RADIUS, or SSO, so any misconfiguration in the same could result from the outcome.
  • A firewall can do DNS, content, VoIP, or web app filter, ZTNA, proxying, SD-WAN, user authentication, managing wireless access points, and more
  • Each firewall has its way of allowing or blocking some features. Identifying a set of services, such as Amazon AWS, while others don’t.
    • Fortigate firewall supports ISDB, where you need to select Amazon AWS, and all its domains and services would be allowed. It also supports the wildcard format.
    • Cisco Meraki firewall has a different method of allowing entries using the wildcard format. For example, you need to keep abc.com and allow it in wildcard format; it’s *.abc.com/*

      For more information, see Cisco: Wildcards and Destination Lists.
    • Sophos Firewall: Supports wildcard format
    • Palo Alto: Does not support wildcard format
    • Sonicwall: Supports wildcard format
    • Checkpoint: Supports wildcard format
    • Watchguard:
    • pfSense:

Summary: A firewall consists of various security controls and network features, NAT, route, firewall policies/rules, and VPN. It can also act as a DHCP, DNS, Gateway, Switch, or UTM, all of which require a review for potential misconfiguration. For root cause analysis, firewall logging is a must. Firewalls also support packet capture and verbose debugging for in-depth analysis.

ISP

  • Some ISPs restrict specific domains and protocols. Common issues are related to DNS, outages, routing, or latency.
  • Check for any additional network filtering technologies that you might be using other than those mentioned.
  • Software firewall might be installed on the device that can cause conflict or misconfiguration.
  • The web browsing experience might be affected by specific browsers, their network settings, extensions, or add-ons.

Tools

  • Ping
  • Traceroute/tracert: A third-party tool called PingPlotter is highly used to identify issues in routing after a packet leaves your network. pathping/MTR is also an alternative.
  • Netstat
  • arp
  • Nslookup
  • telnet: If the telnet client is turned on, it can be used to test ports and connectivity, for example, doing a telnet on TCP port 443. We can also use PuTTY.
  • The tnc command in PowerShell
  • To reset the network:

    • ipconfig /release
    • ipconfig /flushdns
    • netsh int ip reset
    • netsh winsock reset
    • ipconfig /renew

    A restart is mandatory.
     
  • TCPView
  • Wireshark

Related information

Sophos Firewall documentation




Revamped RR
[edited by: Erick Jan at 11:59 AM (GMT -7) on 17 Sep 2024]