This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AWS Quickstart - Enable outbound ports

Hi there,

 

I'm running the AWS Quickstart cloudformation templates for Sophos UTM 9 for an evaluation of the product as a transparent web proxy. This all works fine and is quite straight forward.

 

An additional requirement is to enable outbound traffic for logging, which is to be sent to our monitoring tool datadog.

For this we must enable outbound tcp connections on ports 10514 and 10516 to intake.logs.datadoghq.com (ref datadog network config for logs collection)

I've created and enabled the following firewall rule (permissive obviously for debugging)

Source: Any

Service: 10514 / 10516

Destination: Any

Action: Allow

Advanced/Log Traffic: Enabled

 

I've tested connectivity from the tester EC2 instance and it shows the outbound connection as permitted however it does not work as the telnet client hangs pending connectivity.

 

 

aws.amazon.com/.../
34 package(s) needed for security, out of 54 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-10-100-101-170 ~]$ telnet intake.logs.datadoghq.com 10514
Trying 52.206.235.241...

<hangs />

 

I've checked the AWS security group and route table for the OGWs - all protocols are permitted and 0.0.0.0/0 routes to the internet.

Telneting to 80/443 for the domain works, so DNS is resolving correctly.

With the exception of web filtering configuration there has been any other modification to the Quickstart CF templates.

 

Questions

  • Is the above the correct configuration for enabling outbound tcp traffic on a specific port? 
  • Is there any other configuration required within Sophos UTM? 
  • Are there any AWS config changes that might be required?

 

Any suggestions or assistance would be much appreciated



This thread was automatically locked due to age.
Parents
  • Hi Andrew and welcome to the UTM Community!

    What do you learn from doing #1 in Rulz (last updated 2019-04-17).  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to one blocked above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    thanks very much for the advice

    Here are the complete logs for the same issue. I've regenerated these just now

     

     

    2019:05:10-21:33:54 sophos-eval-i-056817dbcef599d8f ulogd[14045]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="06:bd:c3:1a:49:14" srcip="10.100.101.170" dstip="52.207.149.246" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="47594" dstport="10514" tcpflags="SYN"
    2019:05:10-21:34:57 sophos-eval-i-056817dbcef599d8f ulogd[14045]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="06:bd:c3:1a:49:14" srcip="10.100.101.170" dstip="52.207.149.246" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="47594" dstport="10514" tcpflags="SYN"
    2019:05:10-21:36:03 sophos-eval-i-0cf50e286810fd54b ulogd[13156]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="02:8f:27:37:7f:48" srcip="10.100.101.170" dstip="54.89.13.167" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="35060" dstport="10514" tcpflags="SYN"
    2019:05:10-21:36:34 sophos-eval-i-0cf50e286810fd54b ulogd[13156]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="02:8f:27:37:7f:48" srcip="10.100.101.170" dstip="54.89.13.167" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="35060" dstport="10514" tcpflags="SYN"
    2019:05:10-21:37:08 sophos-eval-i-0cf50e286810fd54b ulogd[13156]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="02:8f:27:37:7f:48" srcip="10.100.101.170" dstip="54.89.13.167" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="35060" dstport="10514" tcpflags="SYN"
    2019:05:10-21:38:14 sophos-eval-i-0cf50e286810fd54b ulogd[13156]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="02:8f:27:37:7f:48" srcip="10.100.101.170" dstip="54.209.130.218" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="42006" dstport="10514" tcpflags="SYN"

     

    and for completeness the same as viewed in the UI

     

    thanks very much for any suggestions you can make

Reply
  • Hi Bob,

     

    thanks very much for the advice

    Here are the complete logs for the same issue. I've regenerated these just now

     

     

    2019:05:10-21:33:54 sophos-eval-i-056817dbcef599d8f ulogd[14045]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="06:bd:c3:1a:49:14" srcip="10.100.101.170" dstip="52.207.149.246" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="47594" dstport="10514" tcpflags="SYN"
    2019:05:10-21:34:57 sophos-eval-i-056817dbcef599d8f ulogd[14045]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="06:bd:c3:1a:49:14" srcip="10.100.101.170" dstip="52.207.149.246" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="47594" dstport="10514" tcpflags="SYN"
    2019:05:10-21:36:03 sophos-eval-i-0cf50e286810fd54b ulogd[13156]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="02:8f:27:37:7f:48" srcip="10.100.101.170" dstip="54.89.13.167" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="35060" dstport="10514" tcpflags="SYN"
    2019:05:10-21:36:34 sophos-eval-i-0cf50e286810fd54b ulogd[13156]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="02:8f:27:37:7f:48" srcip="10.100.101.170" dstip="54.89.13.167" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="35060" dstport="10514" tcpflags="SYN"
    2019:05:10-21:37:08 sophos-eval-i-0cf50e286810fd54b ulogd[13156]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="02:8f:27:37:7f:48" srcip="10.100.101.170" dstip="54.89.13.167" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="35060" dstport="10514" tcpflags="SYN"
    2019:05:10-21:38:14 sophos-eval-i-0cf50e286810fd54b ulogd[13156]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="1" initf="egw0" outitf="eth0" srcmac="02:8f:27:37:7f:48" srcip="10.100.101.170" dstip="54.209.130.218" proto="6" length="60" tos="0x10" prec="0x00" ttl="253" srcport="42006" dstport="10514" tcpflags="SYN"

     

    and for completeness the same as viewed in the UI

     

    thanks very much for any suggestions you can make

Children
No Data