XG Firewall v18 MR-5: Feedback and experiences

LuCar Toni said:

SSLVPN + WAF Portsharing: You can share the port of the SSLVPN and the WAF on 443. But not the same protocol (UDP/TCP).

From my experience on v18 MR5, you indeed can run both WAF and SSLVPN on TCP/443 - It all depends on the Interface where the WAF is located at.

Currently all my WAF's are located over a Internal (LAN) Interface, meanwhile there's no WAF Policies on my WAN Interface - this allows me to run SSLVPN on TCP/443 on my WAN Interface while maintaining all my Internal WAF Policies.

I've also tried out running WAF & SSLVPN on two WAN Interfaces on a lab setup, I've managed to host a WAF on my first Interface, and SSLVPN on the second one - both on TCP/443 without any issues.

A reminder, If you ever create a WAF Policy using HTTPS on TCP/443 - and also use SSLVPN with TCP/443 on the same interface, all connections to TCP/443 over that Interface will always reach the WAF first.

Its about the Interface/IP. If you have a alias on your interface, you can also run WAF and SSLVPN TCP on the same port. If you have only one IP and one Interface on WAN, you are likely to move to UDP+TCP. 

Sorry, but I can't open Standard Sophos Case because I currently use in production firewall MR4 version. I had to roll back to MR4 version.

But I can to someone more capable offer full access to my lab appliance with MR5 where the error is also visible. Still pushing route to SSL VPN client that has been removed from Permitted network resources (IPv4) and another cannot add...

Hi Jaroslav Faldík,

I'll be attempting to replicate the issue you reported and provide you with an update. 

Thanks,

Jaroslav Faldik,

Could you please check the status of the service on your LAB appliance running on MR5? 

Run the following command from the Advanced Shell: 

service -S | grep sslvpn

Also, put the csc service in debugging and add the new network under permitted networks and collect the csc logs. 

To put the csc service in debug run: 

csc custom debug

Note: Run the same command to remove the service from the debugging. 

Thanks,

Hi,

OK, here is output:

XG210_WP03_SFOS 18.0.5 MR-5# service -S | grep sslvpn
sslvpn RUNNING
XG210_WP03_SFOS 18.0.5 MR-5# csc custom debug
XG210_WP03_SFOS 18.0.5 MR-5# tail -f /log/csc.log
DEBUG Apr 28 19:46:04 [listener:1399]: csc_waitpid: Process with pid 27400, wrapped-up successfully using signal 9.
DEBUG Apr 28 19:46:04 [listener:1399]: Main TLV:{ 4, data:{ 1, 4, 0000} data:{ 2, 4, 86B00} data:{ 5, 4, 1000} , 27}
DEBUG Apr 28 19:46:04 [listener:1399]: csc_socketpair called: biggest fd is 110
DEBUG Apr 28 19:46:04 [listener:1399]: Realising worker 27402
DEBUG Apr 28 19:46:12 [listener:1399]: ln_recvfrom: fd '110.TCP.UNIX.auxilary': 37 bytes are read by listener
DEBUG Apr 28 19:46:12 [listener:1399]: register_request_unix: request from path ''
INFO Apr 28 19:46:12 [listener:1399]: protocol content type not found
INFO Apr 28 19:46:12 [listener:1399]: protocol length not found
DEBUG Apr 28 19:46:12 [listener:1399]: stuff_of_listener: custom command debug found
MESSAGE Apr 28 19:46:12 [listener:1399]: Toggling log level to: WARNING
DEBUG Apr 28 19:46:27 [worker:27402]: read_packet: read() 52 bytes from listener
MESSAGE Apr 28 19:46:27 [worker:27402]: Toggling log level to: WARNING
MESSAGE Apr 28 19:46:27 [worker:27402]: {"request":{"method":"nopcode","name":"u2d_pt_installer","version":"1.2","type":"text","length":0}}
MESSAGE Apr 28 19:46:28 [worker:27467]: {"request":{"method":"nopcode","name":"u2d_dr_installer","version":"1.2","type":"text","length":0}}
MESSAGE Apr 28 19:46:43 [worker:27475]: {"request":{"method":"opcode","name":"apiInterface","version":"1.0","type":"json","length":481,"data":{"idletimeoutfullaccessconf":"1","___serverport":4444,"___component":"GUI","users":["test"],"transactionid":"1506","mode":202,"currentlyloggedinuserid":3,"users_cat":"users","APIVersion":"1800.2","selectedhosts_cat":"","___serverprotocol":"HTTP","name":"Test","id":"Test","___username":"admin","tunneltype":"1","accessmode":"1","selectedhosts":["#Port1","#Port3","#Port5","#Port6"],"___meta":{"sessionType":1},"___serverip":"91.201.33.94","currentlyloggedinuserip":"185.5.227.227"}}}
DEBUG Apr 28 19:46:43 [worker:27388]: read_packet: read() 735 bytes from listener
MESSAGE Apr 28 19:46:43 [worker:27388]: Toggling log level to: WARNING
MESSAGE Apr 28 19:46:43 [worker:27388]: {"request":{"method":"opcode","name":"update_sslvpn_policy","version":"1.6","type":"json","length":683,"data":{ "APIVersion": "1800.2", "Event": "UPDATE", "tunneltype": "1", "idletimeoutfullaccessconf": "1", "Entity": "sslvpnpolicy", "name": "Test", "___component": "GUI", "accessmode": "1", "description": "", "id": "Test", "___serverprotocol": "HTTP", "___serverip": "91.201.33.94", "selectedhosts_cat": "", "___meta": { "sessionType": 1 }, "mode": 202, "selectedhosts": [ "#Port1", "#Port3", "#Port5", "#Port6" ], "currentlyloggedinuserip": "185.5.227.227", "currentlyloggedinuserid": 3, "idletimeoutfullaccessvalue": "null", "transactionid": "1506", "___username": "admin", "selectedhostsforipv6": "", "users": [ "test" ], "anyurlaccess": "0", "users_cat": "users", "___serverport": 4444 }}}
DEBUG Apr 28 19:46:43 [fwm:1477]: read_packet: read() 80 bytes from listener
MESSAGE Apr 28 19:46:43 [fwm:1477]: Toggling log level to: WARNING
MESSAGE Apr 28 19:46:43 [fwm:1477]: {"fwm":{"method":"service","name":"fwm:manage_sslvpn_policy","version":"1.0","type":"json","length":28,"data":{"policyid":"1" , "opt":"a"}}}

PAckage ::::vpn::sslvpnpolicy
Readobject returning from function prepareOperationQuery,tempTypeQuery=hosttype in (?,?,?)

Readobject returning from function prepareOperationQuery,tempTypeQuery=ipfamily = ?

Readobject returning from function prepareOperationQuery,tempTypeQuery=usertype in (?)

Readobject returning from function prepareOperationQuery,tempTypeQuery=usertype in (?,?,?,?)
MESSAGE Apr 28 19:46:47 [worker:27520]: {"request":{"method":"nopcode","name":"quarantine_data_cleanup","version":"1.0","type":"json","length":15,"data":{"qur_res":"0"}}}
MESSAGE Apr 28 19:46:47 [worker:27519]: {"request":{"method":"nopcode","name":"restart_dyndns_connections","version":"1.2","type":"text","length":0}}
MESSAGE Apr 28 19:46:49 [worker:27530]: {"request":{"method":"nopcode","name":"smtp_quarantine_cleanup","version":"1.0","type":"text","length":0}}
MESSAGE Apr 28 19:46:55 [worker:27535]: {"request":{"method":"opcode","name":"login_user","version":"1.0","type":"json","length":316,"data":{ "groupid":"Open Group","userid":"test","liveuserid":"1","ipaddress":"10.81.234.6","bwpolicyid":"","webfilterid":"Allow All","appfilterid":"Allow All","starttime":"272081","clienttype":"13","setname":"lusers","addr_family":"2","ismicroapp":"1","authservername":"","macaddress":"","logintime":"2021-04-28 19:46:55" }}}
MESSAGE Apr 28 19:47:00 [worker:27547]: {"request":{"method":"nopcode","name":"garnerevent","version":"1.0","type":"text","length":2,"data":60}}
MESSAGE Apr 28 19:47:03 [worker:27602]: {"request":{"method":"nopcode","name":"auth_execute_heartbeat","version":"1.0","type":"text","length":0}}
MESSAGE Apr 28 19:47:04 [worker:27606]: {"request":{"method":"nopcode","name":"auth_edir_sync","version":"1.0","type":"text","length":0}}

^C
XG210_WP03_SFOS 18.0.5 MR-5#

Here are print screens from SSL VPN (remote access) and OpenVPN Client log.

#Port1 - 172.16.16.16/24 (by default)
#Port2 - WAN (by default)
#Port3 - 192.168.3.1/24
#Port4 - 192.168.4.1/24
#Port5 - 192.168.5.1/24
#Port6 - 192.168.6.1/24

In OpenVPN client missing routes for #port5 and #port6 and in addition, there is a route for #Port4.

This is a invalid config. #Port does not mean the network of this port. Instead its the Port itself. Hence everything works fine. 

Hi LuCar Toni,

sorry, I don't share your opinion.  Mask /32 nothing doesn't matter. Here is the same output (OpenVPN Client) for "standard" /24 networks:

But in MR4 with #Ports in Permitted network resources (IPv4) operates normally.

EDIT: Yes, until now I understood what you thought...

Fixed masks:
#Port1 - 172.16.16.16/32 (by default)
#Port2 - WAN (by default)
#Port3 - 192.168.3.1/32
#Port4 - 192.168.4.1/32
#Port5 - 192.168.5.1/32
#Port6 - 192.168.6.1/32

This is fixed in the Re Release of MR5. There will be a new Build available on the Portal. 

ReRelease of MR5 with a new Build number.

You can upgrade from MR5 to MR5, if you want. Keep in Mind, it will replace the inactive firmware slot, so it might overwrite your old MR4 (or older) slot. 

https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-xg-firewall-v18-mr5--build-586-is-now-available