Is there any way to make certain policies stateless rather than stateful?
Yes we know what it means and the reasons behind both, so not looking for lectures or an opinion. Just a yes or a no.
Please advise, thank you.
as far as I know ... no.
there is no Option from GUI and design if made for stateful inspection.
Sophos Solution Partner since 2003 If a post solves your question click the 'Verify Answer' link.
How about via command?
The firewall should be based on iptables.Since UTM/SG writes/reloads the configuration frequently, I think that changing the resulting configuration is not an option.but the following may help:iptables -t raw -A PREROUTING -j NOTRACKcoderwall.com/.../disable-iptables-connection-tracking
but I'm really interested in knowing the use case ... there might be a better option
All of our network issues were Sophos related. We have a lot of traffic and Sophos "protects" our network from the outside world traffic coming into our network. (HTTP, DNS traffic mostly).
Our issue is that there have been many times where we had network issues/outages due to Sophos running out of iptable space / reaching connection limits on very small amounts of traffic due to internal hardcoded limitations.
I don't see a reason for our Sophos firewall to track connections for HTTP/DNS traffic since we don't use any session based handling of such traffic anyway. We already have many DDOS devices and solutions in place but still every no wand again we have a tiny spike in traffic (say 10MBPS) that completely uses up the session tables and causes Sophos to not accept new connections and start logging errors.
Technically at this point, we don't really use Sophos for anything more than VPNing into our network (that is the only area we'd continue to need session handling).
I guess if there's a way to tune it and make it stateless for certain traffic policies, that'd be huge help. If not, a recommendation to a different software/hardware we can use.
"don't see a reason for our Sophos firewall to track connections for HTTP/DNS traffic since we don't use any session based handling of such traffic anyway"
Stateful inspection is used every time you make a request to the internet (DNS/NTP/HTTP/SMTP). You need this to allow the corresponding answer-packets the way back to your network.
The connection is written to contrack only if connection is allowed. So only "needed" traffic should fill this table.
I never seen contrac-limit related disruptions ... which device/license do you use for how many users/devices?
Can you show us connection statistic from your device?
"Our issue is that there have been many times where we had network issues/outages due to Sophos running out of iptable space / reaching connection limits on very small amounts of traffic due to internal hardcoded limitations."
How do you know that?
You can find the initializations used for iptables in /etc/init.d/iptables.
Cheers - Bob
We know because the errors end up in the kernel logs and other various logs throughout the years. Overall, Sophos GUI is great and user friendly, but the actual software that handles traffic is a disaster when it comes to our business. It's been the biggest pain on our network and we wish we can easily swap it out right now but can't without major downtime. I won't mention how we originally purchased 10GBPe modules only for them not to properly work. Endless back and forth with the useless Sophos support and the only solution was to downgrade to 1Gbpe.
If not for ARBOR DDOS in cloud+on premise device, this Sophos box would be down on a daily basis. As mentioned, 10MBPs can knock it offline. The datasheet/advertising is just a blatant lie. It can't handle gigabits of traffic when there are other limitations that cause downtime at 10mbps.
Right now we don't use Sophos for any protection. We have every security measure disabled that we can, other than the typical policies that are just ACL rules. And even those are causing issues as per this thread post.
Dirk, with your logic we wouldn't be up if the Sophos didn't exist. But that's not the case because we can remove Sophos and have a server connected straight to the internet. So where is the session being handled then?
I'm talking about session handling / tracking within Sophos. That is what the issue is. Not how the internet works.
Connection usage when things are working smoothly:
When things go awry this either shoots up or it just gets completely F-ed up. And it's all due to session/conn handling and tracking. I will try to find some logs for you guys to see.
Just out of interest, what size / model of SG are you using?