Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 750 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

External Websites showing user portal

Neihn

This morning we switched over to our Sophos XG FIrewall. Professional services did alot of the leg work for us in the main configuration and while it appears most things are working properly we did find a few things wrong after we got off the phone with professional services after cut-over. However later in the day it was only then we realized that all of our outside facing websites are showing the User Portal. Now this isn't a huge rush for us as most of it is legacy stuff that is rarely accessed but needs to be left for those rare occasions.

So for example Primary IP for facility is 100.200.100.64 this normally resolved to https://subdomaina.domain.com - resolves to user portal

100.200.100.65 normally resolves to https://subdomainb.domain.com but is now resolving to user portal

100.200.100.66 normally resolves to https://subdomainc.domain.com but is now resolving to user portal

100.200.100.67 normally resolves to https://subdomaind.domain.com but is now resolving to user portal

 

If I disable the captive portal it never resolves to anything and the website just says can page can not be display.

Some basic information on setup:

Sophos XG330 FW - 18.0.4

Under Hosts and Services

  • Port 2 System Host 100.200.100.64/255.255.255.255 (not sure if it matters as everything seems to show that subnet but real subnet for that address is 255.255.255.240)
  • Port 2:0 System Host 100.200.100.65/255.255.255.255
  • Port 2:1 System Host 100.200.100.66/255.255.255.255 
  • Port 2:2 System Host 100.200.100.67/255.255.255.255 
  • IP address 100.200.100.64
  • IP address 100.200.100.65
  • IP address 100.200.100.66
  • IP address 100.200.100.67
  • IP address 192.168.1.4 (subdomaina)
  • IP address 192.168.1.5 (subdomainb)
  • IP address 192.168.1.6 (subdomainc)
  • IP address 192.168.1.7 (subdomaind)

Under Network

  • All outside addresses are showing under Port2

Now to save us both some time since the following would be identical base configs between them

Rules and Policies

  • NAT Rule for Subdomain D
    Original Source - Any
    Original Destination - 100.200.100.67
    Original Service - HTTPS
    SNAT - Original
    DNAT - 192.168.1.7
    PAT - Original
    Inbound Interface - Port 2
    Outbound Interface - Any
  • Firewall Rules for Subdomain D
    Action - Accept
    Rule Group - None
    Log firewall traffic - Enabled
    Source Zones - WAN
    Source Networks and devices - Any
    During Scheduled Time - All the time
    Destination Zones - LAN
    Destination Networks - 100.200.100.67
    Services HTTPS
    Web filtering is not configured
    Configured Synchronized Security Heartbeat both set to No Restriction
    Other Features: All unconfigured with the exception of IPS which is set to WAN TO LAN policy  



This thread was automatically locked due to age.
  • 0

    Actually this firewall rule and NAT looks fine to me. Could you remove the Inbound Interface criteria and go with any? Because if you hit the User Portal, it means the NAT is not hitting. If NAT would hit but FIrewall not, it would show you connection refused. 

    So the NAT seems to be the issue. What about reloading(opening it, saving it without change) the NAT Rule? Will this resolve the issue? 

  • +1 in reply to LuCar Toni

    It was looking fine to me as well, but I tried just reloading the NAT Rule on one of them but it made no change. One thing that caught my eye when I was in the NAT rules section is under usage I show no usage to any of those NAT rules, however it appears all hits are going to a NAT Rule called "Default SNAT IPv4 - Auto created IPv4 SNAT MASQ rule for traffic from "ANY" inbound interface to WAN outbound interface. Updated automatically with WAN interface changes." should this rule be on or off?

  • 0 in reply to LuCar Toni

    Ok It is definitely being caused by the Default SNAT IPv4 rule. Out of curiosity I moved one of our webserver NAT rules above that default SNAT and the website started loading properly and I also see usage on that NAT Rule. But I am still not sure exactly what that default SNAT rule does and wether its even needed for us.