Strange behaviour in SSL VPN , Firewall traffic "fwrule=60001"

Hello Georg Zoeller ,

Thank you for reaching out to the community, that's correct when there is no NAT rule.

Sophos UTM cannot forward traffic that is sent to a masqueraded WAN IP address unless it was requested by a client behind Sophos UTM, or there is a NAT rule to redirect the traffic to an internal server, with the exception of services running on Sophos UTM itself. If a packet arrives and is not for one of the Sophos UTM's services, is not part of an established connection, and there is no NAT rule for it, it will be dropped as fwrule 60001.

Usually, "fwrule 60001" means that you must configure a NAT rule, likely DNAT, or review the configuration of your existing NAT because the packet does not match the intended rule. Check for interface binding, that the source and destination ports are correct, that you are matching the correct protocol, for example, TCP, UDP, or both, and that the IP addresses are correct.

Hello Georg Zoeller ,

Thank you for reaching out to the community, that's correct when there is no NAT rule.

Sophos UTM cannot forward traffic that is sent to a masqueraded WAN IP address unless it was requested by a client behind Sophos UTM, or there is a NAT rule to redirect the traffic to an internal server, with the exception of services running on Sophos UTM itself. If a packet arrives and is not for one of the Sophos UTM's services, is not part of an established connection, and there is no NAT rule for it, it will be dropped as fwrule 60001.

Usually, "fwrule 60001" means that you must configure a NAT rule, likely DNAT, or review the configuration of your existing NAT because the packet does not match the intended rule. Check for interface binding, that the source and destination ports are correct, that you are matching the correct protocol, for example, TCP, UDP, or both, and that the IP addresses are correct.

i did some checking and it seems like the problem is not actually nat but rather the fact that the ssl vpn network was not part of any web filter proxy rules, and thus was dropping all the traffic. i have to wait for the users to finish working in order to try it out.

Ahan, are you using a full tunnel for SSL VPN ? 

Yes im using a full tunnel for the ssl vpn

So have you configured a firewall rule on the top for the SSL VPN network and MASQ ?

Already tried it, didnt change anything, theres one rule which summarizes all of the networks that are allowed to use internet (https/http, dns and ntp), i will try the web protection network setting like i mentioned in a few hours once i get back from a work trip.

Update:

i have now added the network now the traffic to 8080 is no longer being dropped however now it's dropping the port 80 reqeuests.

After some research i've discovered that it's the default port for AD SSO authentication since it's being used for the proxy auth.

2023:08:07-11:34:06 anfw01-1 ulogd[3222]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="tun0" srcip="10.117.4.4" dstip="10.119.1.3" proto="6" length="52" tos="0x00" prec="0x00" ttl="128" srcport="28242" dstport="80" tcpflags="SYN" 

I've also read that AD SSO is only available for transparent ?

Yup that's correct, here is the KBA - https://support.sophos.com/support/s/article/KB-000035187?language=en_US

Fixed it, i enabled the masquerading rule specificaly for the ssl vpn pool and added a specific firewall rule from the ssl vpn to the internal interface, now everything is working.