I have a Sophos XG with SFOS 17.5.8 MR-8, and everything is by default.
I have one nat rule to all hosts/ports to go out to the wan.
My issue is that I have a internal host, an IOT device, that needs to communicate with port 143 on the wan and its not able to, I see the package being accepted on the logs but no reply from target. Checked With tcpdump on other host trying telnet to the same target and no replies are getting in.
Tested without Sophos and it works. I can't see any traffic being denied anywhere.
How can I find in which layer it's being rejected?
Hi Telmo Reis Please check which IP has been assigned to IoT device and follow the below steps.1. Create a Source IP based firewall rule and do not apply any scanning and allow all the traffic and check, please put the rule on top. 2. Now replicate the scenario and apply policies and scanning to the same firewall rule we have created above and check the traffic.3. Capture drop packets- https://community.sophos.com/kb/en-us/127111
KeyurCommunity Support Engineer | Sophos Support Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link
Just did what you said, created a firewall rule
drop-packet-capture 'host "IP"' shows nothing
messageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="185" fw_rule_id="15" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" in_interface="PortA" out_interface="PortB" src_mac="00:00:00:00:00:00" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="yyy.yyy.yyy.yyy" dst_country="ITA" protocol="TCP" src_port="53598" dst_port="143" packets_sent="7" packets_received="0" bytes_sent="420" bytes_received="0" src_trans_ip="zzz.zzz.zzz.zzz" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1825802392" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"
And I can't connect.
port 143 is mail port, you don't have mail scanning enabled on an earlier firewall rule do you?
To avoid that issues I created this as the first rule, I've also looked into mail stuff and I can't find any enabled rule/policy.
So problem still here.
I would really like that there would be a log for all denied packages, or some king of real time testing that would show all chain and where the block is. Kind of a system wide drop-packet-capture.
inn logviewer set a filter for rule 15 and see what entries there are when you try to connect.
Have you disabled rule 0 capture of no connection entries?
Also change your source network to any during the testing.
Log viewer filter for rule 15 only shows accepts, not even one deny.
Source network is ANY ando no change to the result.
Sorry, how do yo edit rule 0?
you can't edit rule 0, just stop it recording all unassociated packets.
Does your device get a DHCP assigned address or is it fixed, so check your gateway configuration and netmask on the device.
Replaced Sophos XG with another (not XG) FW and it works, so looks like there's something blocking the traffic in XG.
What you are saying is there is something wrong with the XG interface because you are not seeing the traffic hit the XG, so, check the XG LAN interface is set to auto negotiate.
Are you using DHCP and do you see an address being allocated in the XG DHCP server. What is the address of you IoT device. gateway settings etc?
I just use XG as internet gateway, all other services are external, DNS, DHCP...
What I did was replace XG (virtual) with other FW (virtual) using the same IP so there wouldn't be any logical changes, and it worked.