Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 2179 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Block Inter-VLAN Traffic DMZ

xXTim150Xx

Hello everyone,

I have a VLAN 10 which is my DMZ and I want to disable/block access to my internal Network (VLAN 1).

I can ping every Device from my DMZ and access every LAN-Device.

I already tried to add a BLOCK Rule, but my Sophos seems to ignore it.

Anybody got an Idea how to block these?



This thread was automatically locked due to age.
Parents
  • 0

    Hello xXTim150Xx

    is there another router between the VLAN 10 (DMZ) and VLAN 1 (LAN)?

    Are the interfaces defined in the correct zones?

    Sophos XG needs rules for all internal routing.

    You can try to figure out what's happening by switching on logging on each rule and tracing a communication from DMZ to LAN in the logfile.


    Best regards,
    BeEf

Reply
  • 0

    Hello xXTim150Xx

    is there another router between the VLAN 10 (DMZ) and VLAN 1 (LAN)?

    Are the interfaces defined in the correct zones?

    Sophos XG needs rules for all internal routing.

    You can try to figure out what's happening by switching on logging on each rule and tracing a communication from DMZ to LAN in the logfile.


    Best regards,
    BeEf

Children
  • 0 in reply to BeEf

    The interfaces are all in their own Zones (LAN, DMZ).

    There is no other router in my network. 

    The sophos is also my gateway which is virtualized on proxmox.

    All Ethernet Interfaces are connected to the Sophos are bridged with OVS

    If I do a traceroute, the way is like: Gateway VLAN10 → Host Network LAN

  • 0 in reply to xXTim150Xx

    Can you show me the interace definition? Are there bridges involved?

    Unset the policy filter and go through the firewall rules 1 by 1 and do not care about the names. 
    There could also be a zone Any or you mixed some things up.

    As this is virtualized the cause of the could also lie outside of the firewall or in the physical-virtual "wiring". Without really knowing what's wrong my gut feeling is that this is the reason with a probability of >>50%.

  • 0 in reply to BeEf

    Also look for any rules that contain source any -> network any and replace with LAN and your LAN network.

    Ian

  • FormerMember
    0 FormerMember in reply to xXTim150Xx

    Hi ,

    I don't think this is an issue anymore, as running this policy test from your firewall shows that the traffic from VLAN10 to LAN is dropped. 

    Reference screenshot: 

    Please confirm and update us.

    Thanks,

  • 0 in reply to FormerMember

    Thank you so much, it's working now.

    What was the reason for this behavior?

  • FormerMember
    +1 FormerMember in reply to xXTim150Xx

    Hi ,

    Thank you for the update. 

    When I looked at your firewall, the rules were already corrected. I think there was a firewall rule configured to allow traffic between DMZ or ANY zone to LAN. 

    If you need to test the firewall rules, you can run the policy test to see if traffic is blocked or allowed, you can also see the firewall rule number for allowed or blocked traffic.

    Thanks,