Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 28 replies
  • Subscribers 27 subscribers
  • Views 1577 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG135 web problems only on two laptops

Stefano Sorrentino

Dear all,

someone can help me to understand what i missed?

The whole company is working fine, but, i was working on two new laptop and only this two didn´t reach some internet websites (youtube, spotify, soundcloud and similar),

At the beginning, as also you can notice from the tipology of the websites, sound like a web filter problem, but also with a specific rule on the firewall with the webfilter "allow all" i have the same problem.

on the logs i have, randomly, this:

but on the config the Spoof control is deactivated.

as config i have two XG135 in HA config with the (SFOS 18.0.4 MR-4)

Some one have some tip?



This thread was automatically locked due to age.

Top Replies

  • +3 verified

    So, we were able to identify that there is another router that also acts as NAT in front of the Sophos XG.  The current config is Double-NAT, from what I could tell, and there is an issue with that box - not the Sophos.  We've discussed about changing the box mode to passtrough/bridge mode, or look at the configuration to see if there is anything preventing unknown devices traffic to pass.

    Please, let me know how this plays out.

    Kind Regards,

    Regis

    Jump to answer
  • 0 in reply to Stefano Sorrentino

    Okay one last thing - in the firewall rule - you are using "Decrypt HTTPS during web proxy filtering" option under Web Proxy Option.  You might have a misconfiguration issue in the SSL/TLS Inspection rules tab of the "Rules and Policies" section of the UI...  I suggest you create a separate rule (clone that one above) without the HTTP/Decrypted HTTPS amd "Decrypt HTTPS during web proxy filtering" - as the source network and devices, add the 30.114 ip address - then test the rule again (make sure you have a default SNAT Rule - so the NAT will work for that rule too - as your rule ID #7 is linked to a firewall rule - or create a new NAT rule for this firewall rule.)

  • 0 in reply to Regis M

    Hi Regis, sorry for the delay...

    All matching criteria of the firewall #3 (________->WAN), including users and schedule, apply to its linked NAT rule. Can’t edit these in the NAT rule.
    so i cannot modify this specific rule without, i think, detach it from the Firewall rule..
  • 0 in reply to Regis M

    If i take off the MASQ value, nobody will use internet at all, BTW the config was imported from the old CyberoAM, i know that the config must be cleaned.....but i cannot understand why 50-60 laptops works normally and only this two not.......

    I tested also to reinstall from 0 an ald laptop, and there is no problem at all......

  • 0 in reply to Stefano Sorrentino

    btw...i created the clore rule......and here the results

    i cheched also to take the Original value instead the MASQ in the NAT rule, and as i expected, the laptop is not able to do anything on Internet

  • 0 in reply to Stefano Sorrentino

    Tested a brand new laptop....same problem......with an old one reinstalled from 0....no problem at all.....i´m lost....

  • 0 in reply to Stefano Sorrentino

    I´ve put the new laptop on another network.... i found this:

    messageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" nat_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="Port2.50" in_display_interface="Port2.50" out_interface="" out_display_interface="" src_mac="00:24:9b:54:ed:14" dst_mac="" src_ip="192.168.50.100" src_country="R1" dst_ip="192.168.50.255" dst_country="R1" protocol="UDP" src_port="137" dst_port="137" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

  • 0 in reply to Stefano Sorrentino

    Good Morning Stefano,

    For the NAT rule I wanted you to change TO MASQ (not from MASQ to original, but original to MASQ) is this one:

    I wasn't talking about your other NAT rule which seems to be configured okay.  For the above tough, I'm fairly sure it will not work - and that all your DNS traffic goes trough your rule #3 and NAT #7.

    That said, What I suggest is that you create an entirely new rule cloned from the rule #3 - or create an completely new one and link a new NAT (SNAT) policy to it, from your LAN/Source network where your non-working laptop is to WAN - all services, no users/schedules/web/app policy attached to the rules - no decryption.  Just a straight allow all - and you can filter the Source IP for the non-working laptop IP (was 30.114 yesterday). 

    You can also, for testing purposes, remove all the filtering feature from your Firewall Rule #7 (so, schedule, users, heartbeat, web, app, decryption, etc...) - test the laptop to see if it works.  If it works, then there is something up with that config.  If it doesn't, then I see 1 possibility: 

    You have some kind of MAC filtering on your network.  It could be on your sophos, switches...  Why I think it is a possibility is because you said that old laptops with a clean install works, and any new devices doesn't.  This suggest to me some kind of device filtering on the network - and logically, the MAC address doesn't change so if an old laptop's MAC address in authorized, even after an os reinstall - it will still work.

    Let's try the above first - let me know how this goes.

  • +1

    So, we were able to identify that there is another router that also acts as NAT in front of the Sophos XG.  The current config is Double-NAT, from what I could tell, and there is an issue with that box - not the Sophos.  We've discussed about changing the box mode to passtrough/bridge mode, or look at the configuration to see if there is anything preventing unknown devices traffic to pass.

    Please, let me know how this plays out.

    Kind Regards,

    Regis