This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best practices when migrating from Verizon ISP Router to Sophos UTM

Hello,

I am planning to migrate to Sophos UTM from my default verizon router. What are the things I should do in preparation in order to have this migration so as smooth as possible.

Here are a few things that came to mind:

  • Find out what ports I have forwarded on what devices and save it.
    • Steam Client:
      • UDP 27000 to 27015 inclusive (Game client traffic)
      • UDP 27015 to 27030 inclusive (Typically Matchmaking and HLTV)
      • TCP 27014 to 27050 inclusive (Steam downloads)
      • UDP 4380.
    • Dedicated or Listen Servers
      • TCP 27015 (SRCDS Rcon port)
    • Steamworks P2P Networking and Steam Voice Chat
      • UDP 3478 (Outbound)
      • UDP 4379 (Outbound)
      • UDP 4380 (Outbound)
    • Blizzard Desktop App
      • TCP - 80, 443, 1119
      • UDP - 80, 443, 1119
    • Blizzard Voice Chat
      • TCP - 80, 443, 1119
      • UDP - 3478-3479, 5060, 5062, 6250, 12000-64000
    • Blizzard Downloader
      • TCP - 1119, 1120, 3724, 4000, 6112, 6113, 6114
      • UDP - 1119, 1120, 3724, 4000, 6112, 6113, 6114
    • Overwatch
      • TCP - 1119, 3724, 6113, 80
      • UDP - 6250, 5062, 5060, 12000-64000, 3478, 3479
    • World of Warcraft
      • TCP - 3724, 1119, 6012
      • UDP - 3724, 1119, 6012
    • Ventrilo
      • 3784 TCP
      • 3784 UDP
      • 6100 UDP
    • Windows Server Update Services (WSUS)
      • TCP - 8530, 8531
    • Plex(May not forward outside network and just use VPN to access.)
      • TCP: 32400 (for access to the Plex Media Server)
      • UDP: 1900 (for access to the Plex DLNA Server)
      • TCP: 3005 (for controlling Plex Home Theater via Plex Companion)
      • UDP: 5353 (for older Bonjour/Avahi network discovery)
      • TCP: 8324 (for controlling Plex for Roku via Plex Companion)
      • UDP: 32410, 32412, 32413, 32414 (for current GDM network discovery)
      • TCP: 32469 (for access to the Plex DLNA Server)
    • Spotify
      • TCP - 127.0.0.1:4371
      • TCP - 127.0.0.1:4381
      • TCP - 0.0.0.0:20007
      • TCP - 0.0.0.0:57621
      • TCP 4070
    • Dropbox
      • The Open button requires access to ports 17600 and 17603
      • The LAN Sync feature requires access to port 17500

 

These were just a few examples that I came up with, but I am sure there is plenty that I missed. Amazon Fire TV, Roku, PS4, XBox 360, etc. This is not including the 100 apps that I have on my iPhone...You can see where this is going.

This was just a small sample list of all the "ports" that I would need to open on the UTM to make sure I can use those services. But what are the other things that the users here would recommend turning off/on for people migrating over from stock routers with crappy firewalls to a managed UTM.

 

What are some of the pitfalls that you experience while your transition to UTM? What advise can you give to a fresh starter so they don't run into the same pitfall? If you had to go back and redo your firewall from scratch, what would you have done differently?

 

Thanks,

mrvaghani

 

EDIT: Typos



This thread was automatically locked due to age.
Parents
  • The UTM is a stateful firewall - the connection tracker automatically allows responses to requests that were allowed out.  If you want to have more control on outgoing traffic than allowing 'Internal (Network) -> Any -> Any',

    • Make a Service Group for each of your apps
    • Make a firewall rule like 'Internal (Network) -> {list of Service Groups} -> Any : Allow'
    • After this rule, place the the following rule: 'Internal (Network) -> Any -> Any : Allow, Log'

    Monitor the firewall log for the final rule to see what needs to be added to the rule above it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • The UTM is a stateful firewall - the connection tracker automatically allows responses to requests that were allowed out.  If you want to have more control on outgoing traffic than allowing 'Internal (Network) -> Any -> Any',

    • Make a Service Group for each of your apps
    • Make a firewall rule like 'Internal (Network) -> {list of Service Groups} -> Any : Allow'
    • After this rule, place the the following rule: 'Internal (Network) -> Any -> Any : Allow, Log'

    Monitor the firewall log for the final rule to see what needs to be added to the rule above it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • I was thinking of adding more control on outgoing traffic later on down the road. My immediate concerns were to make sure my current programs are able to talk to their servers. E.g - steam is able to talk to steam servers, Blizzard client is able to talk to it's game servers, voice chat, etc.

    From what I understand, it will be able to send the request(SYN), but I'm not sure how the response (ACK) would work. What if the port that is used by the Blizzard server's response is blocked and my client never gets the ACK?

     

    I hope I am able to convey my concerns in a way that makes sense.

    Thanks,

    mrvaghani

     

    EDIT: Typos again!

  • That's what the connection tracker takes care of: http://www.iptables.info/en/connection-state.html

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA