Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 17 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 2865 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Passive FTP access from Sophos Connect Client to external server blocked

Nez_Pottage

We have recently setup a new XG running OS 18.0.4.

We have remote client using Sophos Connect.

We also have an Azure based web server, off site (obviously) that is locked for FTP access ONLY to our office WAN IP.

From the office, no outgoing ports are blocked, and the VPN zone is allow all port access to remote servers.

Now if I run a Passive FTP connection through the VPN to the Azure server, I get Firewall errors of Invalid Traffic - Denied from a random port usually to port 21, or from 21 to the WAN IP.   In addition, the file transfers often fail, but not all the time, as in if I upload a folder of items, some make it through and some error.

But if I do the same task from a machine sat in the office, it seems to copy ok, although it does seem to hit errors in the firewall log still.

On our old Sonicwall we had no issues doing the same tasks.

Any ideas?



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember in reply to Nez_Pottage

    You can download SC 2.1 now from the webadmin(VPN > IPsec (remote access) > Download client).

    Ensure that the latest pattern version of Sophos Connect Client is installed under Backup & firmware > Pattern updates.

  • 0 in reply to FormerMember

    My pattern is the latest but the Mac version being downloaded is still only v1,4.  Windows but s coming down as v2.1 though 

  • 0 in reply to Nez_Pottage

    Hello there,

    The updated version for Windows is 2.1 while MacOS is 1.4.634.

    My apologies my previous answer was incorrect, I misread the part about you using Mac in your last reply.

    Try running this command from the Console (5>4) 

    console> set ips ac_atp exception fwrules 2 (Substitute the number 2 for the Firewall rule ID of the VPN to WAN)

    This command basically disables the Global IPS in this specific rule (Additional to the IPS policy you can manually set in the Firewall rule)

    Regards,

  • 0 in reply to emmosophos

    Thanks.

    I just tried that command, and FTP uploads to a machine on the LAN, or on the WAN both fail as before I'm afraid.

    I've reversed the command now to help test further.

    I've managed to sort some alternative machines too. 

    So Windows 10 (20H2) running SC 2.1 works fine to both FTP servers

    And OpenVPN on my mac also works fine with the transfer. Admittedly that's SSLVPN not SC, but still uses the same client IP range and is in the VPN zone, so in my head, same firewall / IPS rules etc.

    So this is looking like a Mac Sophos Connect only issue so far.

    Tomorrow I'm going to try a clean Mac build just to rule out any 3rd party software on my end, but I've tried 2 different macs with Catalina OS and both have upload issues.

    Thanks

    Neil.

  • 0 in reply to Nez_Pottage

    Hello there,

    To reverse the command you can run:

    console> set ips ac_atp exception fwrules none

    Before running you can check the exception by running:

    console> show ips-settings
    -------------IPS Settings-------------
    ac_atp_exception_fwrules 8

    After running the command to remove, you shouldn't see the ac_atp_exception rule in there

    Thank you for the additional feedback on the Windows computers and your next steps on the MAC.

    Regards,

  • 0 in reply to emmosophos

    So far, if using the Sophos Connect app on any mac (under Catalina or Big Sur) it will fail on my FTP uploads.  However the same task on a Windows PC with Sophos Connect, or on a Mac using Open VPN works fine.

    Is SC v2 for Mac being worked on?

  • 0 in reply to Nez_Pottage

    Hello Nez,

    The information I have about v2 for MAC is that it’s the road map, but no ETA.

    Regards,