Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 28 replies
  • Subscribers 27 subscribers
  • Views 1419 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG135 web problems only on two laptops

Stefano Sorrentino

Dear all,

someone can help me to understand what i missed?

The whole company is working fine, but, i was working on two new laptop and only this two didn´t reach some internet websites (youtube, spotify, soundcloud and similar),

At the beginning, as also you can notice from the tipology of the websites, sound like a web filter problem, but also with a specific rule on the firewall with the webfilter "allow all" i have the same problem.

on the logs i have, randomly, this:

but on the config the Spoof control is deactivated.

as config i have two XG135 in HA config with the (SFOS 18.0.4 MR-4)

Some one have some tip?



This thread was automatically locked due to age.
Parents
  • 0

    Hey there Stefano, 

    I guess the 30.1 is your Sophos right?  From the look of it - it seems like the source ip is being spoofed ie: Another device on your network might be configured with the 30.1 IP address?  If that's the case, even with spoof protection disabled, I don't think the sophos will like having another device pretending it's the sophos on the network...  You can also use a packet capture to see the source mac address..

    Also, if it is web filtering, open the logs and check in the web filter logs.  You should see something blocked there if it is indeed the Web Filter.  Also, check if you have applied an App policy to the rule - and look at the Application logs too to make sure nothing is being blocked.

    Regards,

    Regis 

  • 0 in reply to Regis M

    Hi Regis, thank you for the reply.....

    now comes the stranger things....

    1. i don´t think that the IP address will be corrupted by other machines, it´s our gateway, if there is a problem on the gatway ip, nobody will enjoy internet (no?).

    2. WebFilter log

    all fine

    3. no app policy configured

    4. here below the situation on the laptop

    BTW....i tested over Wifi same......other cable (other switch)...same......only with the Hotspot with my mobile works fine.......i have still no ideas....

  • 0 in reply to Stefano Sorrentino

    No - the idea is to capture the packets that are going out from the non-working laptop.  So you start the packet capture (with the filter as mentionned above), then you immediately go on the non-working laptop and try the different websites that aren't working.  The firewall will then capture the packets for that IP address (30.114), and it will give us a better picture of what exactly is going on and why some of the packets are blocked/dropped - and under which rule this is happening.

  • 0 in reply to Regis M

    got it!

    here we are

    and yes....all the Incominf status rows are with the same Source Mac and Destination Mac, as all the Forward Status row....as below

    incoming

    and Forward

  • 0 in reply to Stefano Sorrentino

    Can you do the same (with youtube) with one that works?  I see the NAT ID and Rule ID - I want to make sure they both use the same nat/rules?

  • 0 in reply to Stefano Sorrentino

    Do you have any of the "incoming" packets too?  Also - can you screenshot the Firewall Rule 3 and NAT rule 7?  And give me a screenshot of your firewall log filtered with src IP 192.168.30.114 and action - is not - allowed ?  

  • 0 in reply to Regis M

    i didn´t see incoming packets....too much traffic on my laptop, anyway:

    Firewall rule

      

    and the nat rule

  • 0 in reply to Stefano Sorrentino

    The nat rule seems to be only for DNS service, so it seems to NAT your DCs to your External-DNS whatever it is - but it's not going to nat your other requests...  I don't think this is the right NAT rule..  There is the rule # which is the actual row number - not the NAT ID - I'm looking for the one that has 7 in the "Id" column.

    can you expand the  "configure synchronize security" part of the rule?  I also don't see the detect and prevent exploits part of the rule

  • 0 in reply to Stefano Sorrentino

    Quickly - ideally, you would set an outbound interface to whatever your WAN port is - not leaving it to Any.  Also - Firewall/Web/App filter log would be helpful.  But I would suggest you set an outbound interface on ur nat rule...

  • 0 in reply to Stefano Sorrentino

    Also - looking at this rule here - because the dns are going outside, the Translated Source shouldn't be original?  Are the "External-DSN" Wan ips?  if so - this NAT rule should be set in the SNAT as MASQ (or whatever external ip you want it to be translated to...)

Reply Children
  • 0 in reply to Regis M

    If i take off the MASQ value, nobody will use internet at all, BTW the config was imported from the old CyberoAM, i know that the config must be cleaned.....but i cannot understand why 50-60 laptops works normally and only this two not.......

    I tested also to reinstall from 0 an ald laptop, and there is no problem at all......

  • 0 in reply to Stefano Sorrentino

    btw...i created the clore rule......and here the results

    i cheched also to take the Original value instead the MASQ in the NAT rule, and as i expected, the laptop is not able to do anything on Internet

  • 0 in reply to Stefano Sorrentino

    Tested a brand new laptop....same problem......with an old one reinstalled from 0....no problem at all.....i´m lost....

  • 0 in reply to Stefano Sorrentino

    I´ve put the new laptop on another network.... i found this:

    messageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" nat_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="Port2.50" in_display_interface="Port2.50" out_interface="" out_display_interface="" src_mac="00:24:9b:54:ed:14" dst_mac="" src_ip="192.168.50.100" src_country="R1" dst_ip="192.168.50.255" dst_country="R1" protocol="UDP" src_port="137" dst_port="137" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

  • 0 in reply to Stefano Sorrentino

    Good Morning Stefano,

    For the NAT rule I wanted you to change TO MASQ (not from MASQ to original, but original to MASQ) is this one:

    I wasn't talking about your other NAT rule which seems to be configured okay.  For the above tough, I'm fairly sure it will not work - and that all your DNS traffic goes trough your rule #3 and NAT #7.

    That said, What I suggest is that you create an entirely new rule cloned from the rule #3 - or create an completely new one and link a new NAT (SNAT) policy to it, from your LAN/Source network where your non-working laptop is to WAN - all services, no users/schedules/web/app policy attached to the rules - no decryption.  Just a straight allow all - and you can filter the Source IP for the non-working laptop IP (was 30.114 yesterday). 

    You can also, for testing purposes, remove all the filtering feature from your Firewall Rule #7 (so, schedule, users, heartbeat, web, app, decryption, etc...) - test the laptop to see if it works.  If it works, then there is something up with that config.  If it doesn't, then I see 1 possibility: 

    You have some kind of MAC filtering on your network.  It could be on your sophos, switches...  Why I think it is a possibility is because you said that old laptops with a clean install works, and any new devices doesn't.  This suggest to me some kind of device filtering on the network - and logically, the MAC address doesn't change so if an old laptop's MAC address in authorized, even after an os reinstall - it will still work.

    Let's try the above first - let me know how this goes.