Troubleshooting blocked connections

Hi,

 the easy bits first, you can ignore that error message because that is a connection that has been closed.

You need to check the log viewer and add a filter for your firewall rule to see which ports are used and then limit the services to them only.

The WAPs are they Sophos or another company?

Ian

The WAPs are from a different company and have nothing to do with the XG itself and I did research and find that the message can be ignored but it is clogging up my log. I get that there is no connection, but I have told my FW that I am okay with the WAP sending the packet to the Controller, thus DON'T TOUCH IT! But alas it does and blocks.

This was never an issue on my UTM, and yes I get there is a difference in detections between UTM and XG.

I get about filters in the log, but I may not have been clear.

• Facebook Messenger video chat has always worked, today it didn't.
• I had two (2) devices, my wife's phone and my desktop attempt connect to an outside user and it didn't work.
• Opening up Everything, FW rule, allowed the connection to work.
• Checking the log, my wife's phone needed the extra ports as I indicated.
• My desktop just worked, it did not use any extra ports.

Thus my questions still remains, there were NO ports showing as blocked in the Log, they only showed up once I opened up my FW.

Ian I appreciate your time to post, but this does not help me diagnose issues that DON'T show anything in the logs.

The WAPs are from a different company and have nothing to do with the XG itself and I did research and find that the message can be ignored but it is clogging up my log. I get that there is no connection, but I have told my FW that I am okay with the WAP sending the packet to the Controller, thus DON'T TOUCH IT! But alas it does and blocks.

This was never an issue on my UTM, and yes I get there is a difference in detections between UTM and XG.

I get about filters in the log, but I may not have been clear.

• Facebook Messenger video chat has always worked, today it didn't.
• I had two (2) devices, my wife's phone and my desktop attempt connect to an outside user and it didn't work.
• Opening up Everything, FW rule, allowed the connection to work.
• Checking the log, my wife's phone needed the extra ports as I indicated.
• My desktop just worked, it did not use any extra ports.

Thus my questions still remains, there were NO ports showing as blocked in the Log, they only showed up once I opened up my FW.

Ian I appreciate your time to post, but this does not help me diagnose issues that DON'T show anything in the logs.

Hi Garth,

pease sears the XH forums for threads on allowing facebook to work through the XG.

Please find below my exception list.

You can disable the logging of those errors if you find they are a problem.

The XG is probably not blocking the ports but your software is failing a security check eg you have decrypt HTTPS enabled. Yes, the XG logging is very poor and makes debugging difficult.

Are the phones using VoIP?

Finally please post a screenshot of your expanded firewall rules to assist the forum with debugging.

Ian

Ian, there is nothing wrong with access to Facebook itself, that is not the problem and I never said that was the issue, you are diluting topic.

I simply used my issue this morning to highlight a problem I am having to solve access issues, no mention of FB access or VoIP issues.

With the WAPS with the internal rules that relate there is absolutely NO filtering, no decryption, I just want it to route from here to there do NOTHING else with the traffic.

Why do I need to post of screenshot of my FW rules, I can find a port that is blocked and adding that to a rule is simple enough. I am trying to find a why to properly diagnose blocking issues.

I appreciate your time and acknowledgement of the XG logging issues, but I am trying to find any help I can on tracking down "roadblocks" on my network.

Cheers

Hi Garth,

sorry I am not diluting the subject, you complained about facebook messenger so I added some information that might help you.

You said the phones didn't work as expected so I asked some question s about your phones.

You have asked for help with your WAPS, so please make u your mind what you actually want help with.

I suggest you read the KBAs on CLI commands that will give access to other reports/results.

Ian

Okay I will address each of you points:

"Complained about messenger", this is not accurate, I used it as an example ONLY to illustrate my point about how my XG doesn't log blocked points, but when I log and allow all traffic new ports appear.

"phones didn't work", I mentioned that in context with using Facebook messenger, FB Messenger does not equal VoIP. One of the ports I mentioned is the STUN port but again that is for illustration purposes only.

"asked for help with your WAPS", I never asked for help with the WAPS themselves, I asked for help with an entry in my FW log that is generated by WAPS when they are trying to talk to the controller that the XG is blocking.

"read the KBAs on CLI commands", are there any you could suggest that I look at in particular?

Again I appreciate you taking the time to read and reply to my posts, the crux is that I only need help with the XG and traffic blocking issues.

Thanks

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/cli/index.html

Ian

Thanks for that, funnily enough I was reading the PDF version of that at the time you posted your message as I was trying to resolve another issue.

Here is another really simple example of what is happening:

• From PC 192.168.254.xx to Camera 192.168.72.xx
• No access, NOTHING in the Firewall log.
• Create a FW Rule to allow access and log traffic
• Works a treat

So why then when I didn't have the FW rule in place, the FW log didn't display anything relating to me trying to access the Camera.

Something this simple shouldn't be this hard.

Hi Garth,

firstly does your PC know what to do with that network, try a tracert and see what the result is?

Ian

With the rule off it goes to the gateway address and the requests just time out.

With the rule on goes to the gateway and then the Camera.

That confused me, what does a FW rule have to do with routing?

From my understanding a FW rule is simply giving permission to go from one network to the other using the open ports. Is this another XG anamoly?

First of all, UTM does the same as XG, but simply has other default values. 

Invalid Traffic is not per default activated in UTM, it is in XG.

Invalid Traffic Logging has a 3 hours IDLE Timeout in XG, 24 h in UTM, if activated to log. 

So if you like to have the same principles like UTM, put it to 24 h and deactivate the logging. 

• From PC 192.168.254.xx to Camera 192.168.72.xx

Is this not a access from one network to another? I mean, it seems to be? 

LuCar Toni said:

Is this not a access from one network to another? I mean, it seems to be? 

With this point you are right, that is access from one network to the other, the point I am trying to make is that there in nothing in the logs when the FW rule is turned off saying that it is block. Packets are just silently dropped.

This is the issue I am trying to address.

Thank you for the detailed explanation about the logging of my Invalid traffic, I found an article on how to fix it: https://community.sophos.com/kb/en-us/131754

Cheers.