Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 40 subscribers
  • Views 1434 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG issues with Insteon Hub

uncled15

I have been using the UTM for years and recently upgraded to the XG due to my license count quickly approaching 50...

Everything has been fine on XG and I have even noticed much better performance, particularly wireless.

Reason for my post is I noticed that my Insteon Hub which controls my smart light switches and various other smart devices is unable to connect to it's cloud service. I did not have to create any rules previously in UTM and there are minimal entries in the XG log all being allowed so I am really at a loss here and hoping someone else has already encountered this.

Any help would be appreciated (I am running v18.0.3)



This thread was automatically locked due to age.
  • 0

    Hi,

    make a rule at the tope of your firewall list

    source LAN network your hub IP destination wan network any service any log, also enable ether web policy allow all and tick proxy this will capture the URLs your hub uses.

    The in logviewer review the firewall report with a filter on your hub IP address and see which ports it uses.

    From there you can build a firewall rule covering the ports.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Is there any Internet to Smart Device access required? If yes, you would need a Firewall rule with NAT from WAN to Smart Devices, too.

    If only the outgoing connection fails - I would suggest to create a basic allow any rule for the devices from LAN to WAN as mentioned by . If you have enabled WebProxy, make Exception for HTTPS inspection for the Insteon Cloud Servers.

  • 0 in reply to LHerzog

    I have tried both of the following to no avail, I can see in the log viewer that Denies are happening with Rule type 0 for "Invalid Packet" and "Invalid TCP state" and then the next entry will be the same IPs and ports and be Allowed which is very confusing...

    Guess I am heading back to UTM as firewall / NAT rules are a mess in XG...

  • 0 in reply to rfcat_vk

    I have tried both of the following to no avail, I can see in the log viewer that Denies are happening with Rule type 0 for "Invalid Packet" and "Invalid TCP state" and then the next entry will be the same IPs and ports and be Allowed which is very confusing...

    Guess I am heading back to UTM as firewall / NAT rules are a mess in XG...

  • 0 in reply to uncled15

    Hi,

    from what you are saying is that your UTM does not have any tight firewall rules.

    From your description of the logviewer issue indicates that your device is not matching any firewall rule. Did you review the logviewer web report?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    also possible that masquerading to the internet is missing.

    Please do a packet capture in GUI / Diagnostics for this traffic and share as table here. This is always helpful to see rules, interfaces and NAT applied (or not).

  • 0

    Hello uncled15,

    To add to what our great collaborators rfcat_vk and LHerzog had mentioned. 

    Try creating a Firewall rule with the IP of this specific Hub, and within the Firewall rule itself click "Create linked NAT rule" and in the new window, change the Translated Source (SNAT) to MASQ.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0
    Time Log comp Log subtype Username Firewall rule NAT rule In interface  Out interface  Src IP Dst IP Src port Dst port Protocol Rule type Message ID Live PCAP Message
    11/30/2020 16:20 Invalid Traffic Denied N/A 0 PortA 172.16.16.18  54.236.3.168 1700 443 TCP 0 1001 Open PCAP Invalid packet.
    11/30/2020 16:20 Invalid Traffic Denied 5 3 172.16.16.18  54.236.3.168 1700 443 TCP 1 1001 Open PCAP Invalid TCP state.
    11/30/2020 16:20 Invalid Traffic Denied N/A 0 PortA 172.16.16.18  54.236.3.168 1700 443 TCP 0 1001 Open PCAP Invalid packet.
    11/30/2020 16:14 Invalid Traffic Denied N/A 0 PortA 172.16.16.18  54.236.3.168 1699 443 TCP 0 1001 Open PCAP Invalid packet.
    11/30/2020 16:14 Invalid Traffic Denied 5 3 172.16.16.18  54.236.3.168 1699 443 TCP 1 1001 Open PCAP Invalid TCP state.
    11/30/2020 16:14 Invalid Traffic Denied N/A 0 PortA 172.16.16.18  54.236.3.168 1699 443 TCP 0 1001 Open PCAP Invalid packet.
  • 0 in reply to uncled15

    Posted my log viewer output below, any help would be appreciated

  • 0

    Do you have SSL/TLS inspection enabled? I'm referring to the toggle on/off "master" switch on the SSL/TLS inspection rules tab.

    I've found that with SSL/TLS inspection enabled, some of my IoT devices will not connect to their cloud service, despite the fact I have the device's cloud domain on the Local TLS exclusion list. This is something I've found very frustrating with Sophos XG and often very hard to troubleshoot.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

Unfiltered HTML