Connect client to Symantec Protection Center via Sophos

Hi Minh Pham Cong, Thanks for reaching out to Sophos Community.

Have you tried adding all the services instead of HTTP and HTTPS in the separate firewall policy which you created for VLAN 2 to Symantec server testing ? 

This can help if there's any custom port is being used to fetch these updates.

Hi Devesh
Thank you for your reply.

You mean I should create one more new policy for VLAN 2 with all services except HTTP and HTTPS.
Is my understanding correct?

Thanks

Hi Devesh
Thank you for your reply.

You mean I should create one more new policy for VLAN 2 with all services except HTTP and HTTPS.
Is my understanding correct?

Thanks

Hi Minh,

In the same firewall rule, add all the services along with HTTP and HTTPS. This is to allow traffic for all the services if the Symantec server uses any custom port to fetch/deliver updates.

Hi Devesh

Thank you for your support.

If the same firewall rule and add HTTP and HTTPS, my VLAN 2 will have full Internet. I only want VLAN 2 to use LAN.
Please kindly help me with this.

Thanks

Hi Devesh
I just got message below when I tried to update Symantect client to Symantec Center via Sophos
"ssl public key does not match pinned public key"
Could you pls help me this case?

Thanks

Hi Minh, This seems more like an issue from your client or Symantec server end. Looking at your network diagram, It seems that Sophos is just acting as a gateway allowing traffic to pass amongst two separate networks. With that given, XG doesn't seem to cause the error. 
But rather than leaving it dry, I would ask to check and confirm a few things to substantiate further. Let me know whether the created rule is set to filter any web/application traffic and does it have HTTPS decryption turned on? 

Hi Devesh
Thank you for your reply.
I think the root cause from Sophos from my rule. If I allow any services. Symantec works normally.

LAN: 192.168.2.0/24

WAN: 192.168.0.0/24

My rule

Lan to WAN : 
Source: LAN - any
Destination: WAN  - any - Allow all services except for HTTP and HTTPS.
NO HTTPS, HTTP descryption.

No filter web, no filter application.

It seems that some communication is taking place on port 443 from the client to your Symantec server.

To verify this further, You can run this command on CLI "drop-packet-capture 'host <SourceIP> and port 443" (Option 4 > Console) and run the update. This will give you the reason and the packets which were dropped.

For this, You can either clone the existing rule or create a new one, Keep the VLAN 2.0/24 in source, Symantec server's IP in destination, and allow HTTP & HTTPS. This way, you're only granting Port 80 and 443 access to Symantec server from VLAN2.

Hope this helps

I tried to input the command below

drop-packet-capture host 192.168.0.1 and port 443 but it informed %Error: Unknown Parameter 192.168.0.1.
And I also clone the rule as your requirement even though I added any services but still impossible to update.
I don't know where is root cause. Kindly help me one more time.

Thanks

You forgot to add ' before the host 

Hi Devesh
I run the command successfully. Pls kindly see an image and give me your comment.
I just met a problem, from VLAN 2, I can't scan from Photocopier ro client even I added SMB protocol to service but still error.
OMG,Pls kindly help me. Now only you help me this case.

Tks

I have replied to your DM to collect captures and logs further