XG Inbound DNAT Rule Working Fine But XG Blocking Server Outbound

Hi,

the outbound traffic has nothing to do with the inbound traffic, so the stateful function would ignore post a failed connection.

You will need to create a rule, probably network source any -> your server name (FQDN maybe) -> WAN -> any -> services you wish the server to connect to, you should be selective and not use 'any'.

Ian

Hi,

the outbound traffic has nothing to do with the inbound traffic, so the stateful function would ignore post a failed connection.

You will need to create a rule, probably network source any -> your server name (FQDN maybe) -> WAN -> any -> services you wish the server to connect to, you should be selective and not use 'any'.

Ian

Hi Ian,

Thanks for the quick response, much appreciated. I'll set up the rule and let you know how it goes.

Thanks

Lee

Hi,

So I created a network rule as above but the server is still failing to respond outbound. The rule has been set up wth:

source any > my server FQDN > destination > any > service (LDAPS port 636). The rule has been placed at the top of the list

I tried changing the service to any but it's still not working. As soon as I change the gateway on the server to the old firewall it works. To provide a bit more detail, we are synchronising active directory with our anti spam service (mimecast). Inbound it's working fine and I can see mimecast coming in on port 636 but nothing outbound except UDP port 53 which I expect to see.

Any other suggestions?

Thanks

Lee

HI,

what do the XG and the server logs show?

Ian

Hi,

Apologies for the stupid question but what logs are you referring to? Are you talking about the XG Firewall logs and server event logs?

For the XG Firewall logs I see the inbound traffic allowed from In Interface Port 2 to Out Interface Port 1. I don't see any traffic for the Outbound rule. 

Thanks

Lee

Hi,

if you do a search of the XG logs for the IP address of your server you should see the dropped port and a reason for it being dropped.

Have you setup a service definition for port 636  eg TCP 1-65535 to 636 or TCP *:636?

Ian

Hi,

I'm not sure how to search the XG logs for the IP address of the server. Is that done via the CLI? I have run a packet capture on the server IP address and I can't see any packets with a status of violation. I only see incoming or forwarded packets. I can use the CLI if required but not sure how to search the logs using the command line.

For the service definition port I have set it up as follows:

Thanks

ok so I ran the drop-packet-capture command from the CLI but it's not doing anything. I followed this article so not sure what I'm doing wrong - https://community.sophos.com/kb/en-us/127111

Hi,

would suggest a tcpdump as next step.

Go to advanced shell and perform a tcpdump. 

https://www.tcpdump.org/tcpdump_man.html

tcpdump -ni any port 636 

If you dont see any drops in drppkt, traffic seems to be forwarded. 

Cheers

Hi,

Thanks. I ran tcpdump port 636 as the command 'tcpdump -ni any port 636' didn't work. The tcpdump showed 0 dropped packets so I'm at a loss here. I'm not a networking expert but looking at the packet capture I can see the packets coming in from the external IP and the server responds on the same port:

Think I'll raise a ticket with Sophos as it has to be something with the XG. When I switch the default gateway on the server to the old firewall it's fine.

Thanks for all the help.

Hi,

Just wondering: Are there outgoing packets on Port 2 with your external IP?