Sophos officially recommends to not use wildcard FQDN hosts (e.g. *.microsoft.com) even if they come out of the box with XG firewall setup.
The XG backend processing for FQDN IP’s used for IPset is not reliable. Therefore, it is quite possible that your intended rule does randomly not processes the connections but others rules do.
We have created a case for that a year ago already. At that time, we noticed unaccountable significant service impact especially on cloud services. Even Sophos central endpoint management is still affected.
Quickly we have identified that dedicated connections (same source IP & port to same destination IP & port) processed by differed rules and the rules do suddenly change within seconds.
Depending on your actual rule setup, it can switch between allowing and dropping traffic if the intended rule has wildcard FQDN host(s).
The advice from Sophos GES is now create FQDNs for all URLs registered with the wildcard individually and use that instead as this behavior is by design. – No ‘m not kidding! However, we know that is usually impossible.
I just want to let you know about the behavior, as many may use wildcard FQDN hosts and wonder about bad service quality or unexpected service interruption.
NESCOM – (previously Sophos Partner)
This thread was automatically locked due to age.
