Passive FTP access from Sophos Connect Client to external server blocked

Hello Nez,

Thank you for contacting the Sophos Community.

Can you do a drop-packet-capture from the console of the XG ( you can SSH in to the XG using Putty and then press 4>3)

console> drop-packet-capture 'host x.x.x.x' (x.x.x.x = IP of the FTPserver)

To see if there is any drop.

Also if there are no drops, please do a .pcap capture and open it with Wireshark to see if it provides more info

https://support.sophos.com/support/s/article/KB-000037007?language=en_US

For the Passive FTP, most likely since it picks a different port it won't work. 

For the Active FTP can you run this command:

console> set advanced-firewall ftpbounce-prevention data

Regards,

Thanks emmosophos

Packet Capture as below, with IP's swapped to x.x.x.x

Active FTP Transfer (before command from your reply)

Date=2021-03-06 Time=09:42:38 log_id=010202106 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev= inzone_id=0 outzone_id=0 source_mac= dest_mac= bridge_name= l3_protocol=IPv4 source_ip=x.x.x.x dest_ip=x.x.x.x l4_protocol=TCP source_port=49573 dest_port=20 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=0 masterid=0 status=0 state=0, flag0=0 flags1=0 pbdid_dir0=0 pbrid_dir1=0

Active FTP Transfer (after command from your reply)

Date=2021-03-06 Time=09:54:03 log_id=010202106 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev= inzone_id=0 outzone_id=0 source_mac= dest_mac= bridge_name= l3_protocol=IPv4 source_ip=x.x.x.x dest_ip=x.x.x.x l4_protocol=TCP source_port=52750 dest_port=20 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=0 masterid=0 status=0 state=0, flag0=0 flags1=0 pbdid_dir0=0 pbrid_dir1=0

Passive FTP Transfer

Date=2021-03-06 Time=09:48:09 log_id=010202106 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev= inzone_id=0 outzone_id=0 source_mac= dest_mac= bridge_name= l3_protocol=IPv4 source_ip=x.x.x.x dest_ip=x.x.x.x l4_protocol=TCP source_port=51176 dest_port=3915 fw_rule_id=N/A policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=0 masterid=0 status=0 state=0, flag0=0 flags1=0 pbdid_dir0=0 pbrid_dir1=0

However, if I use the same FTP software from a machine on the LAN rather than the VPN, transfers work fine and no packets are dropped.

I've tried a split tunnel (with FTP server listed in servers to tunnel) and a Tunnel all connection with the same results.

Hello there,

Thank you for the follow-up

Yes for the Active I was expecting to see the correct port for FTP 20, but I wasn’t expecting to see an Invalid_Traffic log.

Does a regular Ping from the Sophos Connect to the FTP in Azure work or any other type of communication that you can test going there?

Also just to double confirm this FTP server in Azure is not accessed by IPsec (Xg -- Azure Site-to-Site) correct it’s only Web base.

Regards,

Sorry to didn’t make that side clear.  
Weirdly, some files are actually transferred, but some error.  No pattern that I can see. 
mom ftp I can create folders, navigate, delete etc, but if I upload a number of files, it will often error and show the drops in firewall. 
I can ping, rdc, web without issues so far.  Just the FTP. 
But if I sit on the LAN and do the same tasks it works.  
There is no secure link / vpn / other to azure.  Purely just our WAN IP allowed through the firewall on relevant ports. 

Hello Nez,

Thank you for the info.

Can you check if you have IPS enabled for this traffic, if you do please disable it.

Also, can you confirm if you’re using Web Proxy in the Firewall Rule for the Sophos Connect going to the WAN?

Regards,

No IPS or web proxy on the Sophos Connect to WAN rule.

Rule screenshot attached if it helps.  Destination network is set to ANY.

Hello there,

Thank you for the screenshots, all seems correct.

I am not sure if DPI might be causing some interference (I don't think, but you can add the Sophos Connect Range to the SSL/TLS inspection rules).

If this is still failing, open a case with Support and share the Case ID, more investigation would be needed.

Regards,

Thanks.

Case raised under 03753709.

So far I have been told the mac client is out of date, even though it's the latest version on my XG.

Although if I try to download via the client log in, not the admin, I get an error "Requested file could not be provided. Make sure Pattern Updates are working correctly.
You can find it under 'Backup & Firmware' -> 'Pattern Updates'"

Pattern updates are all up to date, but I saw another discussion that this error is a known issue being worked on.

Thanks.

Case raised under 03753709.

So far I have been told the mac client is out of date, even though it's the latest version on my XG.

Although if I try to download via the client log in, not the admin, I get an error "Requested file could not be provided. Make sure Pattern Updates are working correctly.
You can find it under 'Backup & Firmware' -> 'Pattern Updates'"

Pattern updates are all up to date, but I saw another discussion that this error is a known issue being worked on.

Hello there,

Thank you for the Access ID.

You can ask the users to download the Sophos Connect 2.1 from this link.

https://www.sophos.com/en-us/support/downloads/eula.aspx?downloadKey=6af9884a-8b35-4e3e-8de0-36c7063293de&entitlementId=00000000-0000-0000-0000-000000000000

Yes, the issue with users getting a .txt file on the User Portal when trying to download the IPSec (Sophos Connect) Client is a known issue with the Pattern Update 2.1 for Sophos Connect.

Regards,

That link only seems to be the windows msi.  There is no Mac version there. 

You can download SC 2.1 now from the webadmin(VPN > IPsec (remote access) > Download client).

Ensure that the latest pattern version of Sophos Connect Client is installed under Backup & firmware > Pattern updates.

My pattern is the latest but the Mac version being downloaded is still only v1,4.  Windows but s coming down as v2.1 though 

Hello there,

The updated version for Windows is 2.1 while MacOS is 1.4.634.

My apologies my previous answer was incorrect, I misread the part about you using Mac in your last reply.

Try running this command from the Console (5>4) 

console> set ips ac_atp exception fwrules 2 (Substitute the number 2 for the Firewall rule ID of the VPN to WAN)

This command basically disables the Global IPS in this specific rule (Additional to the IPS policy you can manually set in the Firewall rule)

Regards,

Thanks.

I just tried that command, and FTP uploads to a machine on the LAN, or on the WAN both fail as before I'm afraid.

I've reversed the command now to help test further.

I've managed to sort some alternative machines too. 

So Windows 10 (20H2) running SC 2.1 works fine to both FTP servers

And OpenVPN on my mac also works fine with the transfer. Admittedly that's SSLVPN not SC, but still uses the same client IP range and is in the VPN zone, so in my head, same firewall / IPS rules etc.

So this is looking like a Mac Sophos Connect only issue so far.

Tomorrow I'm going to try a clean Mac build just to rule out any 3rd party software on my end, but I've tried 2 different macs with Catalina OS and both have upload issues.

Thanks

Neil.

Hello there,

To reverse the command you can run:

console> set ips ac_atp exception fwrules none

Before running you can check the exception by running:

console> show ips-settings
-------------IPS Settings-------------
ac_atp_exception_fwrules 8

After running the command to remove, you shouldn't see the ac_atp_exception rule in there

Thank you for the additional feedback on the Windows computers and your next steps on the MAC.

Regards,

So far, if using the Sophos Connect app on any mac (under Catalina or Big Sur) it will fail on my FTP uploads.  However the same task on a Windows PC with Sophos Connect, or on a Mac using Open VPN works fine.

Is SC v2 for Mac being worked on?

Hello Nez,

The information I have about v2 for MAC is that it’s the road map, but no ETA.

Regards,