Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 5589 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troubleshooting problems

Hiltonmagk

I've got a Sophos UTM that's my gateway router that creates my DMZ and a Fortinet and another Sophos UTM, that sit in the DMZ that creates two separate LANs.  I can ping and use traceroute from the Fortinet LAN but can't ping or traceroute from the Sophos LAN.  From the Sophos LAN I can ping the WAN IP of the Sophos UTM, and the LAN IP of the DMZ Sophos.  I have a rule on the DMZ Sophos that allows the Sophos LAN to ping/traceroute to any.  Nothing shows up on the live log.  Nothing in Network Protection > Firewall > ICMP seems to make a difference when I change it.  I tried unchecking all the boxes, as that's supposed to rely only the firewall rules, but that didn't work either.  There's nothing in my IPS logs either.  Does anyone have an idea?



This thread was automatically locked due to age.
Parents
  • 0

    I'm a bit confused by your topology - maybe a simple diagram would help. Normally, ping and traceroute are regulated on the 'ICMP' tab of 'Firewall', so your rule also confuses me.  What do you see in the Firewall log file when the ping fails?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    So my rule for ping/tracert is src (192.168.X.X network) ping/tracert to Any.  I can ping 172.X.X.1 from the Application server and tracert the internet resource through the 192.168.X.X Sophos and I get a reply from the DMZ Sophos but that's where it dies.  I can't ping my ISP gateway either from the 192.168.X.X LAN, but I can from the Fortigate LAN.  Hopefully that clarifies the problem.

  • 0 in reply to Hiltonmagk

    Thanks for the diagram - a lot clearer now, but I still have some confusion...

    Are the 172.X.X subnets different?

    What do you mean specifically by "the internet resource?"

    What do you mean specifically by "ISP gateway?"

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Hiltonmagk

    Thanks for the diagram - a lot clearer now, but I still have some confusion...

    Are the 172.X.X subnets different?

    What do you mean specifically by "the internet resource?"

    What do you mean specifically by "ISP gateway?"

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    The 172 network is the DMZ network and there is only one.  The internet resource is a server the application server needs to communicate with.  The ISP gateway is the default gateway of the DMZ Sophos.  I can ping the ISP gateway from the Fortinet LAN but not the Sophos 192.168.X.X LAN.

  • 0 in reply to Hiltonmagk

    I get it now, thanks.  What clues does doing #1 in Rulz on both Sophos UTMs?  Really, probably just the Firewall log, but if there's nothing there, Intrusion Prevention should be checked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Alright I think I've got it fixed and some idea about why it wasn't working.  In the Global ICMP Settings it says "if originating from an internal network" That got me thinking about what the Sophos considers an internal network.  I couldn't find any information about configuring that.  The LAN traffic from the Fortinet hits the DMZ Sophos as the WAN address of the Fortinet and so the 172 network is internal.  So I created a Source NAT on the 192 Sophos for the application server and then the Global ICMP settings applied to that traffic.  Maybe there's a way to set internal networks without using a source NAT but it worked for me.

  • 0 in reply to Hiltonmagk

    That's a working solution.  An alternative would have been a static route in the Fortigate.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML