Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 28 subscribers
  • Views 999 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Digital Phot Frame Port 443

BobbyDigital

Hello All,

I recently received a a digital photo frame as a gift and decided to put online behind my Sohpos firewall. I'm running sophos at my house and so far everything is working with no issues. I'm running Sophos version SFVH (SFOS 18.0.5 MR-5-Build586).

The issue I am experiencing is the digital frame is sending packets out but I see no return traffic via my packet captures. At first I was receiving the "could not associate packet to any connection" logs was showing traffic being dropped via rule =0. 

So I placed essentially an any any rule for testing purpose. The error went away however I'm still only seeing outbound connections and no return traffic. 

Before I put in the any any rule I would see some RST packets but i checked the logs for web filter and application filter and nothing was found. 

This appears to be an issue with my sophos firewall. If I put the traffic behind my palo alto 220 I do not experience this issue. If I put it behind my CheckPoint, works as it should. Of course if I put it on a standard wireless connection not behind a firewall it works as well.

Weird thing is I have put this traffic in bypass mode and I'm still not able to get it working. 

Bypass Stateful Firewall
------------------------
Source Genmask Destination Genmask
172.24.50.75 255.255.255.255 0.0.0.0 0.0.0.0
0.0.0.0 0.0.0.0 172.24.50.75 255.255.255.255

This is not a huge issue as I have several work arounds but the firewall engineer in me wants to figure this out. 

Thanks for all response. 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    where is it trying to send the traffic to? The data you have posted is broadcast traffic which is blocked by the firewall.

    Ian

  • 0 in reply to rfcat_vk

    my apologies. I was trying to show my bypass firewall rule. I have the source as the digital frame host and the destination as 0.0.0.0. If I am trying to bypass all traffic from the digital frame photo how should I implement the bypass rule? should the destination be 0.0.0.0 or must it be specific host and/or networks on the internet.

  • 0 in reply to BobbyDigital

    Hi,

    I am failing to understand why you would want your digital frame to broadcast to the internet.

    Firewall rule would be Source LAN, Network digital frame address, destination WAN, network ANY, Service all.

    Ian

  • 0 in reply to rfcat_vk

    how do I properly implement via the CLI a firewall bypass for the IP address of the digital frame to anywhere on the internet. The issue is somewhere Sophos is dropping this traffic. 

  • 0 in reply to BobbyDigital

    You don't need to do it via CLI, just use the firewall rule I suggested except change the service to https. The firewall will block broadcast addresses.

    Please explain your requirement to broadcast to the internet so the forum users can provide further advice?

    Ian

  • 0 in reply to rfcat_vk

    I'm not trying to broadcast to the internet. When I created the firewall bypass rule I only used the source IP address of the digital frame. When I did that Sophos automatically put 0.0.0.0 as the destination. I was assuming that maybe that is Sophos way of saying the destnation is "ANY". 

    I created a separate firewall rule specifically for this traffic and I can see the data going out the firewall but I am not getting any return traffic. Sophos is dropping the packets I just cant figure out why. 

    Again, thanks for all responses. 

  • 0 in reply to BobbyDigital

    Where do you expect to see the return traffic come from? 
    I must be missing something about your network setup that requires the photo frame traffic to be passed by the XG?

    Ian

  • 0 in reply to rfcat_vk

    the return traffic should be coming from the server that the digital frame is connected to. This is how you upload photos to the frame and the frame retrieves them from the server. 

    This process is actively working on every network that isn't protected by Sophos. 

    I can provide packet captures if needed.

  • 0 in reply to BobbyDigital

    What you are advising is that there are additional ports that are not recognised by the XG as part of the transaction the frame has with the server. So if you use logviewer reigned to the IP address of your frame what traffic do see passing or trying to pass the=rough the XG?

    Ian

  • 0 in reply to rfcat_vk

    I have a rule specifically for this traffic that basically is an ANY ANY ALLOW firewall rule. I'm doing this for testing purposes. I have included my pcaps for reference. I'm not seeing any two way traffic when this data flow traverses the Sophos firewall. I want to put the firewall in bypass mode for all traffic coming from and/or to the host. 

    I implemented the following command but it defaulted the destination to 0.0.0.0. 

    console> set advanced-firewall bypass-stateful-firewall-config add source_host 1.1.1.1

  • 0 in reply to BobbyDigital

    Hi,

    you advised the frame has access when using other firewall products but not Sophos so that would imply the frame is using some other protocols like UPNP to pass traffic or maybe tls1.3 fixed/not negotiable with the site.

    Ian 

  • 0 in reply to rfcat_vk

    I do not disagree with your assessment. However, I thought putting the IP in firewall-bypass-mode would basically allow everything for that IP. 

    Also the logs aren't really showing me anything that would help me track down the issue. 

    Are their any additional CLI commands that may reveal what is happening  here?

    Again, thanks for all responses. 

Reply
  • 0 in reply to rfcat_vk

    I do not disagree with your assessment. However, I thought putting the IP in firewall-bypass-mode would basically allow everything for that IP. 

    Also the logs aren't really showing me anything that would help me track down the issue. 

    Are their any additional CLI commands that may reveal what is happening  here?

    Again, thanks for all responses. 

Children
  • 0 in reply to BobbyDigital

    Hi,

    there is something wrong with a configuration somewhere. If you have a source LAN, network your LAN network, destination WAN network ANY, allow all services then you should be seeing all traffic in the logviewer. Also I would suggest you use web allow all and enable use Proxy in lieu of DPI and then in application allow all that will assist with your debugging traffic.

    You will note I have advised to use your lan network instead of your frame IP, this is I have some devices that will work correctly when their IP address is used a source network, so I create a clientless user and then use allow the user. 

    Ian