Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 623 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

firewall portal (user and admin) blacklist ?

Nicolas HORCHOWER

Hello,

I'm using SFVH (SFOS 18.0.4 MR-4), and it looks like one of my internal subnet is blacklisted.

Those machines are always receiving a RST/ACK when they try to connect to the firewall portals (user, authentication, admin).

I can ping, I can even connect in SSH, but as soon as it is a https connection to the firewall always the same : RST/ACK after a SYN

The firewall is allowing forward, so I can go through the FW.

I was wondering if something was wrong with the gateway between the firewall and the subnet, so I move it to another one : same result. Each time packets are coming form this subnet they are refused.

So I guess there is a dynamic or static ACL for internal FW web server.

Can you help ?

Thanks



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Is your internal subnet in LAN zone or in a different zone?

    Ensure that you have required services enabled for respective zone under Administration > Device access.

    You can find the RST reason from log viewer or by checking the drop packets in CLI

    ==> Under log viewer, you need to check SYSTEM events.

    ==> To check drop packets, login to SSH > 4. Device console

    console> drop-packet-capture 'port <port number(webadmin/auth/userportal)>

    eg. console> drop-packet-capture 'port 8443

    or

    console> drop-packet-capture 'host <source IP or destination IP>

    eg. console> drop-packet-capture 'host 192.168.268.10

    ==> Try to access webadmin/userportal/auth from internal subnet and check drop events. Search for "log_component=" field to find the reason.


    2021-01-03 17:50:52 0103021 IP xx.xx.xx.xx.50134 > 192.168.268.10.8443 : proto TCP: S 1016893201:1016893201(0) win 64860 checksum : 45656
    0x0000: 4500 0034 a0d0 4000 8006 27d7 c0a8 5811 E..4..@...'...X.
    0x0010: c0a8 58ba c3d6 fdeb 3c9c 8f11 0000 0000 ..X.....<.......
    0x0020: 8002 fd5c b258 0000 0204 0582 0103 0308 ...\.X..........
    0x0030: 0101 0402 ....
    Date=2021-01-03 Time=17:50:52 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4 source_mac=27:6e:27:6e:27:6e dest_mac=27:6e:27:6e:27:6e l3_protocol=IP source_ip=xx.xx.xx.xx dest_ip=192.168.268.10 l4_protocol=TCP source_port=50134 dest_port=8443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=32784 connid=627422808 masterid=0 status=288 state=1 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

  • 0 in reply to FormerMember

    Hello Yash,

    Thanks for your feedback.

    Saddly, nothing is dropped, so drop packet capture is empty,

    yes this subnet is routed in LAN zone, and yes services are activated. I also tried to add the subnet in the Local service ACL exception rule : same result.

    I see the network in ipset, but nothing else.

    Log is empty, I've activated all the logs in the admin page, I'm spammed with many things, but not my issue.

    So that's why I was thinking of something else, but I'm not able to trace something.

    I've tried a couple of grep -r hopping to see something,... no luck.

    Again, I receive an RST/ACK (in tcpdump on the FW I see the [S] from my client and the [R.] from the firewall) so it means that packets are rejected (not dropped).

    And on the Rules page, I saw that all the rule counters are remaining at 0.

    Again, Thanks for your help,

    Best Regards,

  • +1 in reply to Nicolas HORCHOWER

    Hello Nicolas,

    Out of curiosity do you have any bypass for this subnet under Advanced-Firewall?
    console> show advanced-firewall

    Regards,

  • 0 in reply to Nicolas HORCHOWER

    RST. Paket are likely send, if the port is not open for this particular port. 

    Do you have a ACL exception created? 

  • 0 in reply to emmosophos

    Damned, it was it,

    I've tried to disable ips inspection, without luck and let it as is.

    I've "set advanced-firewall bypass-stateful-firewall-config del ..." both in and out and now I can reach the FW interfaces

    I've still got another issue, but it may be somewhere else before the FW Disappointed

    Thanks for your help :)