Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 28 replies
  • Subscribers 27 subscribers
  • Views 1419 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG135 web problems only on two laptops

Stefano Sorrentino

Dear all,

someone can help me to understand what i missed?

The whole company is working fine, but, i was working on two new laptop and only this two didn´t reach some internet websites (youtube, spotify, soundcloud and similar),

At the beginning, as also you can notice from the tipology of the websites, sound like a web filter problem, but also with a specific rule on the firewall with the webfilter "allow all" i have the same problem.

on the logs i have, randomly, this:

but on the config the Spoof control is deactivated.

as config i have two XG135 in HA config with the (SFOS 18.0.4 MR-4)

Some one have some tip?



This thread was automatically locked due to age.
Parents
  • 0

    Hey there Stefano, 

    I guess the 30.1 is your Sophos right?  From the look of it - it seems like the source ip is being spoofed ie: Another device on your network might be configured with the 30.1 IP address?  If that's the case, even with spoof protection disabled, I don't think the sophos will like having another device pretending it's the sophos on the network...  You can also use a packet capture to see the source mac address..

    Also, if it is web filtering, open the logs and check in the web filter logs.  You should see something blocked there if it is indeed the Web Filter.  Also, check if you have applied an App policy to the rule - and look at the Application logs too to make sure nothing is being blocked.

    Regards,

    Regis 

  • 0 in reply to Regis M

    Hi Regis, thank you for the reply.....

    now comes the stranger things....

    1. i don´t think that the IP address will be corrupted by other machines, it´s our gateway, if there is a problem on the gatway ip, nobody will enjoy internet (no?).

    2. WebFilter log

    all fine

    3. no app policy configured

    4. here below the situation on the laptop

    BTW....i tested over Wifi same......other cable (other switch)...same......only with the Hotspot with my mobile works fine.......i have still no ideas....

  • 0 in reply to Stefano Sorrentino

    Okay - keep your non-working laptop close

    On your XG - go on "Diagnostics", Packet Capture, click "Configure", and write "host 192.168.30.114" like so:

    Click "Save", and toggle the packet capture switch on - then try to go on youtube again, and any other websites that aren't working.  Once you've done that - toggle the packet capture off - and check the outputs.  Look for the following:

    The Source MAC Address should always be the same.  Also, in the output table, you will see the statuses for the different packets, along with the rule the packet used to go out.  From there, we will have a better idea of what is going on.

    QUICK NOTE - DON'T LEAVE THE PACKET CAPTURE ON TOO LONG...  I had some issues where the firewall became unresponsive for a few mins...

  • 0 in reply to Regis M

    Sorry Regis,

    now i´m a little bit confused...have i to shutdown the not working laptop? i probably misundestood from where i have to call youtube.com after the modify to the capture filter....my fault....

  • 0 in reply to Stefano Sorrentino

    No - the idea is to capture the packets that are going out from the non-working laptop.  So you start the packet capture (with the filter as mentionned above), then you immediately go on the non-working laptop and try the different websites that aren't working.  The firewall will then capture the packets for that IP address (30.114), and it will give us a better picture of what exactly is going on and why some of the packets are blocked/dropped - and under which rule this is happening.

  • 0 in reply to Regis M

    got it!

    here we are

    and yes....all the Incominf status rows are with the same Source Mac and Destination Mac, as all the Forward Status row....as below

    incoming

    and Forward

  • 0 in reply to Stefano Sorrentino

    Can you do the same (with youtube) with one that works?  I see the NAT ID and Rule ID - I want to make sure they both use the same nat/rules?

  • 0 in reply to Stefano Sorrentino

    Do you have any of the "incoming" packets too?  Also - can you screenshot the Firewall Rule 3 and NAT rule 7?  And give me a screenshot of your firewall log filtered with src IP 192.168.30.114 and action - is not - allowed ?  

  • 0 in reply to Regis M

    i didn´t see incoming packets....too much traffic on my laptop, anyway:

    Firewall rule

      

    and the nat rule

  • 0 in reply to Stefano Sorrentino

    The nat rule seems to be only for DNS service, so it seems to NAT your DCs to your External-DNS whatever it is - but it's not going to nat your other requests...  I don't think this is the right NAT rule..  There is the rule # which is the actual row number - not the NAT ID - I'm looking for the one that has 7 in the "Id" column.

    can you expand the  "configure synchronize security" part of the rule?  I also don't see the detect and prevent exploits part of the rule

Reply Children