Browse By Tags

  • Email Dictionary Attacks in MTA MODE?! (IMAP port 587 connections in MTA MODE displaying Sophos IP for source, not Attackers!)

    How do we make XG report Public address of IMAP/SMTP/POP connections when in MTA mode? This week I had to deal with a Dictionary attacker probing our mail server for valid accounts about 20-30 per minute. The logs on the mail server were woefully inadequate…
  • Traffic from and to one Host (or Network) over a specific Alias WAN IP

    Hi, we have a /28 public subnet. One IP is the default WAN IP, the others are added as Alias to the Interface. How can I make a rule that every outgoing traffic from a specific host or network is going out over one specific of these alias IPs? …
  • Why create a police rule + a DNAT (PAT) rule

    Good morning all I ask myself the question of the interest of the creation of a firewall rule when creating a DNAT rule (PAT). After my migration from 17.5 to 18, the import of my rules went well. I then needed to access an equipment from the outside…
  • Multiple PUBLIC IP leashed line setup for NAT

    Hi . I'm having trouble trying to get one of the Public IP(Alias) to be nat onto voice subnet interface. Here's the diagram below. Network Diagram. Here's what i configure for the Leased IP Line. For voice LAN interface Subnet i configure as below…
  • 1:1 NAT with an additional external subnet

    Hi, a new customer actually has a watchguard firewall. The watchguard is replaced by a AP-cluster of 2 XG330. He has a normal WAN connection with a static IP and, additionally a /25 subnet (completely other range) that is routed to the WAN-IP. On the…
  • unclear XG routing decision

    We notice a strange routing decision of the XG to networks not routed by the XG itself. This traffic is forwarded to an IP address I cannot find any routes to. Also the XG does not even have an IP address in the network range of that IP address. If…
  • v18.0.4- 1:1 SNAT Advanced Settings

    Any idea when 1:1 SNAT will be implemented correctly from it's currently half baked implementation? While doing SNAT and using a IP range (.1 - .254), the translated IP is a completely random octet, which is not desired in our configuration as the remote…
  • Using 2 WANs in uplink balancing but force using only one

    I have two WANs in uplink balancing and normally one of them is in active interfaces (e.g. WAN1) and the other is in standby (e.g. WAN2). Sometimes I want to let one of our internal endpoints to connect to the internet via WAN2 so: 1. I move the WAN2…
  • Issues creating PAT

    Hi. This is my first time configuring this. I am having some trouble with it. I tried to search on the forum but the one I found had pictures that do not work anymore. I have one public IP and want to direct it to 2 internal IP addresses with the same…
  • 18.0.4 MR-4: NAT LOOPBACK not working

    HI all, Been sweeping the community for hours now regarding this issue, simply cannot make it work :-( Have been using the DNAT Assistant which creates both reflexive rule and Loop back, not working. Been trying to setup loopback rule myself…
  • mr4 SNAT -> traffic is lost suddenly

    Hi All, As support is continuously failing to support us i am trying here. We have a setup with a cluster of XG210's running 18.0 MR4. Since this implementation, we are regularly having issues with our customers PBX. Packets coming from the PBX…
  • NAT rule Order causes outage

    For multiple smaller customers I have one default SNAT with MASQ to enable internet access and usually two DNAT rules. These rules do not interfere. On multiple occasions it happend that the DNAT rules did not work although configured correctly. All…
  • RED configuration for PCI DSS compliance v18 DNAT

    I have an XG135 running (SFOS 18.0.1 MR-1-Build396) and I am currently failing Security Metrics PCI scan for the following: I am trying to follow the KB Sophos has provided but in v18 DNAT and Firewalls are separated, and I can't seem to get everything…
  • After Upgrade to v18.0 MR4 Auxillary Appliances boots in Failsafe Mode - Reason "Unable to apply NAT Rules"

    Hi, today i upgraded an Sophos XG Cluster from v18.0 MR 3 to v18.0 MR 4. Everything looked fine, so i did an Failover check, Afterwards not all outgoing WAN Connection possible. After some checks we recognized that the Appliance booted in the Failsafe…
  • Unable to check the address used in IPv6 NAT log.

    The item src_trans_ip output to the log is incorrect, when using IPv6 Source NAT. src_trans_ip will have the same address as dst_ip. The real address after Source NAT is not logged. This issue was tested with SFOS 18.0.4. This is a bug, isn't it?
  • Sophos XG IPsec port forwarding

    Hello, I have A Sophos XG at work and a Sophos XG at home. Recently I have acquired a Meraki MX64 that I am running behind my Sophos XG at home. I have been tasked with setting up my work XG with the Meraki MX in a site2site tunnel (for a future deployment…
  • Create loopback rule for XG itself

    Hi, A very long time ago, I upgraded from V17 to V18. Today, I decided to hit the magic button about cleaning up unused NAT Rules under Rules and Policies --> NAT Rules. Since doing that, my loopback to the XG itself has stopped, meaning I…
  • No NAT Rule for VTI Interface

    Hi, I've configured an IPsec tunnel over VTI with OSPF routing and I'm wondering what is the recommended way of creating a No-NAT rule? I would expect to leave all the fields with default values and just set the outbound interface as the VTI (XFRM…
  • How to fully block/drop packets from a malicious WAN address?

    Hi, Since upgrading to V18 where NAT and Firewalls have been separated. How would I be sure to fully block and Drop a malicious WAN address traffic from hitting our web facing services? I have written a drop rule containing a list of IP Addresses…
  • XG 18. snat binding to specific public ip

    I have only WAN interface with multiple public ip addres configured as an alias IP. So.. #PortB, #PortB:1, #PortB:2 etc... All clients leave the internet via the default snat with the firewall public ip configured in port #PortB. I would like only an…
  • Serverzugriff über IPv6 DNAT funktioniert nicht

    Hallo Community, ich versuche derzeit mein Netzwerk von außerhalb erreichbar zu machen. Da ich über einen DS-Lite tunnel verfüge, muss ich dies über IPv6 verwirklichen. Von meinem ISP wird mir ein dynamisches IPv6 Präfix zugewiesen. Da ich keine Funktion…
  • WAN IPv6 to DMZ/LAN IPv4

    Hello Forum! I have a little challenge here. TLTR: Translating WAN IPv6 to LAN IPv4. I would like to make various services accessible via IPv4 and IPv6 from the WAN side. Internally in the LAN and DMZ I would like to continue working only with IPv4…
  • Version 18 and the Nat Rules

    Hi Guys Hoping someone can help me as I'm struggling a bit with V18 and the decoupling of NAT rules. I know it works as its working on V17 without issue. We have a vlan and within that vlan there is a device which requires WAN access. I have created…
  • Sophos Firewall: How to source NAT incoming IPsec traffic on v19 and above

    Disclaimer : This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment. Table of Contents Overview What to do How-To Translation…
  • Give public IP an alias name

    Hi everyone, I wonder if this is possible. I did a NAT rule so users outside the network can access a particular application that is behind the Firewall(Sophos XG) So, currently, the access is this way: public IP/ApplicationName I would like to…