Firewall dropping packets for standard applications

Hi Community,

I am seeking your advice... I recently upgraded my hardware from an XG105 to and XG115 to address performance issues we were experiencing with MSFT Teams, WebEx, Nintendo Switch, etc.

Given both my wife and I are WFH now due to Covid, our issues have become more apparent.

I am not a network or security engineer, but know enough to navigate my way around the FW. 

If I set up a persistent ping to and external address, say Google's DNS, and run a Team calls concurrently, I will notice the video and audio performance degrades and I see packet loss on the ping.  I also filter the logs by my laptop IP, where I am running Teams from, and can see denied traffic.  When I look at the addresses via a domain lookup (Centralops), most of the addresses are AWS, MSFT (direct) & Azure (Hosting), etc.

I have added exceptions into my rules but this doesnt seem to make a difference.

The last thing I want to do is create a whole bunch of bypass rules and compromise the effectiveness of the FW - whats the point of having it.

So, what is the best way to get support on this?  I need some help in diagnosing the root cause (poor configuration, missing rules or policies, etc).

Parents
  • Hello Msaggers,

    Thank you for contacting the Sophos Community.

    Can you try the following:

    1) Is DoS flood currently enabled? Please disable and see if that makes a difference. 

    2) If you SSH in to the XG and then press 5 > 4 and arrive to the console and type

    console > set advanced-firewall udp-timeout-stream 150

    3) Create a Firewall rule on top, with no scanning or filtering and setting the following subnets as the destination networks:

    13.107.64.0/18, 52.112.0.0/14, and 52.120.0.0/14

    4) You could try to prioritize the traffic using the Microsoft Teams Applications

    Go to WebAdmin >> Applications >> Traffic shaping default >> Category name(Search) >> Search for microsoft teams >> Under conferencing please click manage >>
    Name: Microsoft Teams
    Traffic shaping policy: Streaming Video - Guarantee Full HD Quality.

    After that create firewall rule and enable traffic shaping for application
    WebAdmin -> Firewall -> Add firewall rule -> User/network rule (This would be the same Firewall rule used in step #3)

    Rule Position: Top

    Rule Group: None

    Source Zones:LAN or what is the zone of the test PC

    Source networks and devices: Test PC ip address

    Destination Zones:WAN

    Destination networks: 13.107.64.0/18, 52.112.0.0/14, and 52.120.0.0/14 or you can change to ANY since traffic will be prioritized based on the application

    Services: Any
    Application control: Allow All
    Check apply application-based traffic policy

     

    5) If that still fails, we would need to come back to step 1 and create some DoS exceptions for Microsoft  by following this

    https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello Msaggers,

    Thank you for contacting the Sophos Community.

    Can you try the following:

    1) Is DoS flood currently enabled? Please disable and see if that makes a difference. 

    2) If you SSH in to the XG and then press 5 > 4 and arrive to the console and type

    console > set advanced-firewall udp-timeout-stream 150

    3) Create a Firewall rule on top, with no scanning or filtering and setting the following subnets as the destination networks:

    13.107.64.0/18, 52.112.0.0/14, and 52.120.0.0/14

    4) You could try to prioritize the traffic using the Microsoft Teams Applications

    Go to WebAdmin >> Applications >> Traffic shaping default >> Category name(Search) >> Search for microsoft teams >> Under conferencing please click manage >>
    Name: Microsoft Teams
    Traffic shaping policy: Streaming Video - Guarantee Full HD Quality.

    After that create firewall rule and enable traffic shaping for application
    WebAdmin -> Firewall -> Add firewall rule -> User/network rule (This would be the same Firewall rule used in step #3)

    Rule Position: Top

    Rule Group: None

    Source Zones:LAN or what is the zone of the test PC

    Source networks and devices: Test PC ip address

    Destination Zones:WAN

    Destination networks: 13.107.64.0/18, 52.112.0.0/14, and 52.120.0.0/14 or you can change to ANY since traffic will be prioritized based on the application

    Services: Any
    Application control: Allow All
    Check apply application-based traffic policy

     

    5) If that still fails, we would need to come back to step 1 and create some DoS exceptions for Microsoft  by following this

    https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children