Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 28 replies
  • Subscribers 27 subscribers
  • Views 1429 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG135 web problems only on two laptops

Stefano Sorrentino

Dear all,

someone can help me to understand what i missed?

The whole company is working fine, but, i was working on two new laptop and only this two didn´t reach some internet websites (youtube, spotify, soundcloud and similar),

At the beginning, as also you can notice from the tipology of the websites, sound like a web filter problem, but also with a specific rule on the firewall with the webfilter "allow all" i have the same problem.

on the logs i have, randomly, this:

but on the config the Spoof control is deactivated.

as config i have two XG135 in HA config with the (SFOS 18.0.4 MR-4)

Some one have some tip?



This thread was automatically locked due to age.
  • 0 in reply to Stefano Sorrentino

    Okay one last thing - in the firewall rule - you are using "Decrypt HTTPS during web proxy filtering" option under Web Proxy Option.  You might have a misconfiguration issue in the SSL/TLS Inspection rules tab of the "Rules and Policies" section of the UI...  I suggest you create a separate rule (clone that one above) without the HTTP/Decrypted HTTPS amd "Decrypt HTTPS during web proxy filtering" - as the source network and devices, add the 30.114 ip address - then test the rule again (make sure you have a default SNAT Rule - so the NAT will work for that rule too - as your rule ID #7 is linked to a firewall rule - or create a new NAT rule for this firewall rule.)

  • 0 in reply to Regis M

    Hi Regis, sorry for the delay...

    All matching criteria of the firewall #3 (________->WAN), including users and schedule, apply to its linked NAT rule. Can’t edit these in the NAT rule.
    so i cannot modify this specific rule without, i think, detach it from the Firewall rule..
  • 0 in reply to Regis M

    If i take off the MASQ value, nobody will use internet at all, BTW the config was imported from the old CyberoAM, i know that the config must be cleaned.....but i cannot understand why 50-60 laptops works normally and only this two not.......

    I tested also to reinstall from 0 an ald laptop, and there is no problem at all......

  • 0 in reply to Stefano Sorrentino

    btw...i created the clore rule......and here the results

    i cheched also to take the Original value instead the MASQ in the NAT rule, and as i expected, the laptop is not able to do anything on Internet

  • 0 in reply to Stefano Sorrentino

    Tested a brand new laptop....same problem......with an old one reinstalled from 0....no problem at all.....i´m lost....

  • 0 in reply to Stefano Sorrentino

    I´ve put the new laptop on another network.... i found this:

    messageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" nat_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="Port2.50" in_display_interface="Port2.50" out_interface="" out_display_interface="" src_mac="00:24:9b:54:ed:14" dst_mac="" src_ip="192.168.50.100" src_country="R1" dst_ip="192.168.50.255" dst_country="R1" protocol="UDP" src_port="137" dst_port="137" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

  • 0 in reply to Stefano Sorrentino

    Good Morning Stefano,

    For the NAT rule I wanted you to change TO MASQ (not from MASQ to original, but original to MASQ) is this one:

    I wasn't talking about your other NAT rule which seems to be configured okay.  For the above tough, I'm fairly sure it will not work - and that all your DNS traffic goes trough your rule #3 and NAT #7.

    That said, What I suggest is that you create an entirely new rule cloned from the rule #3 - or create an completely new one and link a new NAT (SNAT) policy to it, from your LAN/Source network where your non-working laptop is to WAN - all services, no users/schedules/web/app policy attached to the rules - no decryption.  Just a straight allow all - and you can filter the Source IP for the non-working laptop IP (was 30.114 yesterday). 

    You can also, for testing purposes, remove all the filtering feature from your Firewall Rule #7 (so, schedule, users, heartbeat, web, app, decryption, etc...) - test the laptop to see if it works.  If it works, then there is something up with that config.  If it doesn't, then I see 1 possibility: 

    You have some kind of MAC filtering on your network.  It could be on your sophos, switches...  Why I think it is a possibility is because you said that old laptops with a clean install works, and any new devices doesn't.  This suggest to me some kind of device filtering on the network - and logically, the MAC address doesn't change so if an old laptop's MAC address in authorized, even after an os reinstall - it will still work.

    Let's try the above first - let me know how this goes.

  • +1

    So, we were able to identify that there is another router that also acts as NAT in front of the Sophos XG.  The current config is Double-NAT, from what I could tell, and there is an issue with that box - not the Sophos.  We've discussed about changing the box mode to passtrough/bridge mode, or look at the configuration to see if there is anything preventing unknown devices traffic to pass.

    Please, let me know how this plays out.

    Kind Regards,

    Regis