Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 28 subscribers
  • Views 2596 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filter policy engine breaks website on ipv6 SFOS 17.5 MR9&10

Dion-Ben Hendriks

Hi,

 

I have a problem with the web filter policy engine when trying to connect to https://mijn.triathlonbond.nl/login over ipv6. My default firewall rule includes a web filter policy which allows all. 

 

 for logging purposes.

 

But when I try to connect to the above mentioned site over IPv6 the connection times-out. In the logging of the Sophos there is no indication of an error, nothing is being blocked, not on any of the log categories...(when is a unified logging view comming...?)

But when I change the firewall rule not the include the web filter, the website behaves normal...How to fix this, or is it, bug or limitation of XG? I Have this in both MR9 and MR10

BTW: the XG is running in bridge mode, without NAT. I Would have liked to be running in routed mode but the XG is apparently not able to request a IPv6 subnet delegation from my router. (OpenSense does!)

 

Dion



This thread was automatically locked due to age.
Parents
  • 0

    Further info, that site only returns an IP4 address.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    For me it resolves ipv6 to:

    mijn.triathlonbond.nl.

    TTL=299

    AAAA    2a01:7c8:aaae:18::1

    (not authoritative)

    Running Sophos XG SFOS 17.5.10 MR-10

    On VMWare ESXi 6.7.0 Update 3 (Build 15018017)

    On 4 CPUs x Intel(R) Celeron(R) CPU J1900 @ 1.99GHz with 8GB RAM, 120 GB SSD & 4x  intel I211AT NIC

  • 0 in reply to Dion-Ben Hendriks

    Hi,

    I can trace route to the site, but cannot connect to it. Fails safari and FF as invalid address. The following is part of the trace route and seems to have some invalid addresses as well as very long responses which could explain your failures.

    19  e1-a8.r2.ams0.transip.net  308.888 ms  310.665 ms  312.896 ms

    20  r2.f2.ams4.transip.net  311.594 ms  317.441 ms  313.973 ms

    21  f2.l1.ams4.transip.net  312.796 ms  319.728 ms  316.361 ms

    22  * *

        f2.l1.ams4.transip.net  3337.408 ms !A

    23  * * *

    24  *

        f2.l1.ams4.transip.net  3601.819 ms !A *

    25  f2.l1.ams4.transip.net  3646.906 ms !A * *

    26  *

        f2.l1.ams4.transip.net  3357.424 ms !A  3954.573 ms !A

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    But why does it the work when I disable the Web filter policy in the firewall rule?

    Running Sophos XG SFOS 17.5.10 MR-10

    On VMWare ESXi 6.7.0 Update 3 (Build 15018017)

    On 4 CPUs x Intel(R) Celeron(R) CPU J1900 @ 1.99GHz with 8GB RAM, 120 GB SSD & 4x  intel I211AT NIC

  • 0 in reply to Dion-Ben Hendriks

    Hi

    do you have decrypt and scanning enabled? Have you installed the CA on you PC. Please post the firewall rule.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Nope...

     

    details:

    Running Sophos XG SFOS 17.5.10 MR-10

    On VMWare ESXi 6.7.0 Update 3 (Build 15018017)

    On 4 CPUs x Intel(R) Celeron(R) CPU J1900 @ 1.99GHz with 8GB RAM, 120 GB SSD & 4x  intel I211AT NIC

  • 0 in reply to Dion-Ben Hendriks

    Hi Dion-Ben,

    a very simple answer you have not enabled MASQ (NAT) on your firewall rule. NAT is mandatory on XG IPv6 firewall rules.   

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    But why does all other traffic then work?

    and to circumvent the problem I had created another rule were the web policy is not include, still no MASQ and that worked....? 

    Here the Firewall Log showing traffic flowing thru first rule 7 (the default traffic rule) and later rule 16 (the specific traffic rule create for this site, see above).

    Here the Web policy log (only showing rule 7, as expected)

    Running Sophos XG SFOS 17.5.10 MR-10

    On VMWare ESXi 6.7.0 Update 3 (Build 15018017)

    On 4 CPUs x Intel(R) Celeron(R) CPU J1900 @ 1.99GHz with 8GB RAM, 120 GB SSD & 4x  intel I211AT NIC

  • 0 in reply to Dion-Ben Hendriks

    Hi,

    If you examinee those logviewer results there is no traffic passed, just allowed by the firewall rule but never leave the XG due to no NAT.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
  • 0 in reply to rfcat_vk

    Ian, 

    that is the WEB log (the bottom image) you are referring to, which only shows rule 7 traffic, which is not working, 0 byte is the only indication that its not working.

    In the Firewall log ( the before last  image) it also shows traffic flowing thru rule 16, in that case it worked....  Note that rule 16 also has no NAT configured.

    In the top image is WEB log for other IPv6 traffic passing thru rule 7, bytes sent >0. 

    So my conclusion is that IPv6 without NAT in working in Bridge mode.....

     

    Dion

    Running Sophos XG SFOS 17.5.10 MR-10

    On VMWare ESXi 6.7.0 Update 3 (Build 15018017)

    On 4 CPUs x Intel(R) Celeron(R) CPU J1900 @ 1.99GHz with 8GB RAM, 120 GB SSD & 4x  intel I211AT NIC

  • 0 in reply to Dion-Ben Hendriks

    Hi,

    I agree with you, which is at odds with others experience. I do not have a bridge setup at the moment, i would need to put my test box online and see what happens.

    In the meantime lets hope another member who has IPv6 can test bridge mode?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Cookie Information Banner