Sophos Firewall

Discussions Allow nmap scan of public wan address

Sophos Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 4 replies
Subscribers 26 subscribers
Views 899 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow nmap scan of public wan address

Sophos User90 over 5 years ago

Hi,

Using Xg v18, how would you allow an external company access to scan your public facing ip address with nmap for compliance reasons?

We have a list of specific ips we need to allow access and have tried creating dnat and firewall rules but the traffic always gets dropped by rule 0

This used to work in v17 but with v18 we cannot find a way.

Any help would be greatly appreciated

Thank you

This thread was automatically locked due to age.

Parents

0 FormerMember over 5 years ago

Hi Sophos User90

Thank you for reaching out to the Community!

Did you try to configure Local ACL exception for the list of source IP addresses that needs access to the WAN IP address of the firewall?

Please check out the following KBA: Sophos XG Firewall: Local Service ACL (Access Control List) and specifically "Local Service ACL Exception Rule."

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User90 over 5 years ago in reply to FormerMember

So using local acl exception does allow access to scan the few services that are available to add in the acl excpetion rule which is good. (HTTPS, VPN, SSL etc..)

However i guess my question is, is there a way to allow an external ip access to scan every port unfiltered on the xg without being denied like this packet capture shows?

So basically what we would like is for the source ip to have full access to everything unfiltered on the destination ip.

Is such a thing even possible?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Sophos User90 over 5 years ago in reply to FormerMember

So using local acl exception does allow access to scan the few services that are available to add in the acl excpetion rule which is good. (HTTPS, VPN, SSL etc..)

However i guess my question is, is there a way to allow an external ip access to scan every port unfiltered on the xg without being denied like this packet capture shows?

So basically what we would like is for the source ip to have full access to everything unfiltered on the destination ip.

Is such a thing even possible?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 FormerMember over 5 years ago in reply to Sophos User90

Hi Sophos User90

It is not possible the way you want to scan the XG firewall. If it is for an internal server, you could create a DNAT rule and allow services that you want to scan on the server.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel