Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 2543 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need help reading firewall logs to check specific traffic

whytry2002

Hi, I'm trying to pass through mobile 4G cell spot through my Sophos SG135 firewall. It's running 9.707-5 firmware.

I've created 4 host definitions for each cell spot with static IP by MAC address, let's call them #1 and #2 and #3 and #4. I Then created 2 firewall rules:

1st rule is Source=Any, Services=Any, Destinations= all 4 booster host entries, Action=Allow

2nd rule is Source= all 4 booster host entries, Services=Any, Destinations=Any, Action=Allow

Originally, I only added the specific UDP ports asked by the manual. After speaking to customer service of the provider, they said other ports might need to get through so I just changed it to Services=Any.

I'm getting strange results. Sometimes none connect, sometimes 1 of them connects. I've restarted the firewall and now 1 fully establishes the connection(all lights are green), 2 have Internet connection but won't reach provider network and 1 establish Internet connection at all. This is based on activity LEDs on the front of them.

Looking at live firewall log and it only shows me entries in red(default drop). I saw a few red entries of packets dropped for one cell spot on the port that was opened. After changing services=Any it went away. I don't see any green packets.

What am I doing wrong and where should I start looking?

Thank you.



This thread was automatically locked due to age.
  • 0

    Hello  ,

    Good day and thanks for reaching out to Sophos Community. 

    Is logging enabled on the FW rule? Also could you elaborate this, "After changing services=Any it went away" does this mean after you peformed this the 4G devices started to work? or the logs disappeared? 

    Further, could you confirm is the static IPs you set for them does not conflict with any IP addresses on the network? Also do these devices required DNS configuration in them or Default Gateways? could you confirm that they are configured correctly or you may use Sophos SG's LAN interface as DG and DNS forwarder. 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hello Raphael,

       I'm new to Sophos, where would I check if logging is enabled for FW rule? Is this what will show me green entries for what went through?

       Originally, I was toying with specific ports the 4G devices were asking for: UDP 500, UDP 4500 and UDP 123 but then I just set it to Any under services because I wasn't getting anywhere. I think as long as I allow Any source through any port but only to 4x 4G device IPs, the rest of the network is still protected, right? The red logs disappeared for DEFAULT drop on UDP 500 when I changed to Any port.

       DHCP starts at 192.168.x.50. All 4x 4G devices are setup with static IP by mac address assignment below that range. I didn't see in instructions anything about DNS configuration. I need check on this.

    Thank you for the fast response.

  • 0 in reply to whytry2002

    Logging is set here:

    But you already see it in the list, if a rule has logging enabled by a symbol looking like a writing pad like this:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    And I would suggest you update to the most recent UTM firmware version which is 9.716-2

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML