Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 28 subscribers
  • Views 13795 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Inbound DNAT Rule Working Fine But XG Blocking Server Outbound

Leebtish

Hi all,

We're fairly new to Sophos XG but we have our firewall rules set up and working so far. However, I have created a DNAT rule for secure LDAP which is working well and I can see the traffic being forwarded to the internal server. However, the response from the server is not reaching the destination.

I know the XG is the problem because if I change the default gateway on the server to the old firewall it works fine. The DNAT rule is reflexsive so I would have thought the XG being a stateful firewall would allow the outbound traffic from the server but this is not the case.

Do I need to create a user / network rule for the server for the outbound traffic?

Thanks in advance.

Lee



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

    the outbound traffic has nothing to do with the inbound traffic, so the stateful function would ignore post a failed connection.

    You will need to create a rule, probably network source any -> your server name (FQDN maybe) -> WAN -> any -> services you wish the server to connect to, you should be selective and not use 'any'.

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    So I created a network rule as above but the server is still failing to respond outbound. The rule has been set up wth:

    source any > my server FQDN > destination > any > service (LDAPS port 636). The rule has been placed at the top of the list

    I tried changing the service to any but it's still not working. As soon as I change the gateway on the server to the old firewall it works. To provide a bit more detail, we are synchronising active directory with our anti spam service (mimecast). Inbound it's working fine and I can see mimecast coming in on port 636 but nothing outbound except UDP port 53 which I expect to see.

    Any other suggestions?

    Thanks

    Lee

  • 0 in reply to Leebtish

    HI,

    what do the XG and the server logs show?

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    Apologies for the stupid question but what logs are you referring to? Are you talking about the XG Firewall logs and server event logs?

    For the XG Firewall logs I see the inbound traffic allowed from In Interface Port 2 to Out Interface Port 1. I don't see any traffic for the Outbound rule. 

    Thanks

    Lee

  • 0 in reply to Leebtish

    Hi,

    if you do a search of the XG logs for the IP address of your server you should see the dropped port and a reason for it being dropped.

    Have you setup a service definition for port 636  eg TCP 1-65535 to 636 or TCP *:636?

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    I'm not sure how to search the XG logs for the IP address of the server. Is that done via the CLI? I have run a packet capture on the server IP address and I can't see any packets with a status of violation. I only see incoming or forwarded packets. I can use the CLI if required but not sure how to search the logs using the command line.

    For the service definition port I have set it up as follows:

     

    Thanks

     

     

  • 0 in reply to Leebtish

    ok so I ran the drop-packet-capture command from the CLI but it's not doing anything. I followed this article so not sure what I'm doing wrong - https://community.sophos.com/kb/en-us/127111

  • 0 in reply to Leebtish

    Hi,

    would suggest a tcpdump as next step.

    Go to advanced shell and perform a tcpdump. 

    https://www.tcpdump.org/tcpdump_man.html

    tcpdump -ni any port 636 

    If you dont see any drops in drppkt, traffic seems to be forwarded. 

     

    Cheers

Reply Children