This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AWS Quickstart - Enable outbound ports

Hi there,

 

I'm running the AWS Quickstart cloudformation templates for Sophos UTM 9 for an evaluation of the product as a transparent web proxy. This all works fine and is quite straight forward.

 

An additional requirement is to enable outbound traffic for logging, which is to be sent to our monitoring tool datadog.

For this we must enable outbound tcp connections on ports 10514 and 10516 to intake.logs.datadoghq.com (ref datadog network config for logs collection)

I've created and enabled the following firewall rule (permissive obviously for debugging)

Source: Any

Service: 10514 / 10516

Destination: Any

Action: Allow

Advanced/Log Traffic: Enabled

 

I've tested connectivity from the tester EC2 instance and it shows the outbound connection as permitted however it does not work as the telnet client hangs pending connectivity.

 

 

aws.amazon.com/.../
34 package(s) needed for security, out of 54 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-10-100-101-170 ~]$ telnet intake.logs.datadoghq.com 10514
Trying 52.206.235.241...

<hangs />

 

I've checked the AWS security group and route table for the OGWs - all protocols are permitted and 0.0.0.0/0 routes to the internet.

Telneting to 80/443 for the domain works, so DNS is resolving correctly.

With the exception of web filtering configuration there has been any other modification to the Quickstart CF templates.

 

Questions

  • Is the above the correct configuration for enabling outbound tcp traffic on a specific port? 
  • Is there any other configuration required within Sophos UTM? 
  • Are there any AWS config changes that might be required?

 

Any suggestions or assistance would be much appreciated



This thread was automatically locked due to age.
Parents
  • If you only want to allow the Datadog ports use an SNAT instead of a masq rule.  Start with a Service Group "Datadog" containing Service definitions for 10514 and 10516.  Then a NAT rule like 'SNAT : Any -> Datadog -> Any : from Internal (Address)'.

    You can make a similar rule for the Web Surfing group.  As #2 in Rulz (last updated 2019-04-17) clarifies, the automatic rules created by the configuration daemon (based on the WebAdmin databases) for Web Filtering preclude the need for a second NAT rule.

    All that said, your masqing solution will work fine.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • If you only want to allow the Datadog ports use an SNAT instead of a masq rule.  Start with a Service Group "Datadog" containing Service definitions for 10514 and 10516.  Then a NAT rule like 'SNAT : Any -> Datadog -> Any : from Internal (Address)'.

    You can make a similar rule for the Web Surfing group.  As #2 in Rulz (last updated 2019-04-17) clarifies, the automatic rules created by the configuration daemon (based on the WebAdmin databases) for Web Filtering preclude the need for a second NAT rule.

    All that said, your masqing solution will work fine.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data