Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 869 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Network objects seem to be ignored by firewall and NAT rules.

Neil_Evolve

We have created a network object for our internal IP Phones controller and a service group for SIP 5060 UDP/TCP.

We have a fw rule, LAN/IP Phones Controller - WAN/External SIP Hosts/SIP Services. This rule is at the top of the list.

We have an SNAT for outbound to the external SIP Hosts for an alias on the WAN interface.

The rules are never triggered, although PCAP and TCPdump shows the traffic coming from the correct source and going to the correct destination/port. PCAP shows fw rule 0 and NAT rule 0.

Does anyone have any idea as to why the rule is not triggering? Even if we create an Any/Any/Any rule at the top of the rule list, still the rule is never triggered by this host or port.

All other traffic is flowing as expected.

Thanks for any suggestions.

Neil.



This thread was automatically locked due to age.
  • 0

    are you able to see the connection with conntrack?

    conntrack -E | grep "port=5060"

    What do you mean exactly with "triggered"? no logs? Byte count of that rule not increasing?

  • 0 in reply to LHerzog

    The byte count never increases.

    The log viewer never shows traffic.

    I have to use tcpdump or pcap to see any traffic at all from the internal host.

    I won't be able to get any further info for a while as the customer has removed it from the network and gone back to the original SG.

    Strangely, if I add ICMP to the rule, I can ping external resources no problem and the byte count increases and log viewer shows the traffic processed by the correct rule.

  • FormerMember
    0 FormerMember in reply to Neil_Evolve

    Hi ,

    By any chance, if you've web admin access then please share firewall rule/NAT rule config snapshots here or in PM, or maybe you can share it next time when the customer connects XG back to the network.

  • 0 in reply to FormerMember

    Also, please restart a phone and see if you will see something in the logs for that phone when it restarts.

    If these are existing connections, you will not see a new line in the logviewer.

    But you can verify with the conntrack as mentioned. You will see a fwid with the ID of the Rule there.

    The byte count will not increase if the networks are not routed by XG, e.g. by an other firewall or L3 core switch.

  • 0 in reply to LHerzog

    The phones themselves don't go external, they are routed via an on-prem IP phone system. Only the single controller goes external.

    I should be able to gather more data in a couple of weeks, but for now the XG is offline.

    As I said previously, even creating an Any/Any/Any rule fails to allow traffic for port 5060. All other traffic from all internal hosts works. It is only UDP/TCP 5060 that is not going external.

    This is a migration using the migration tool to export and import the SG/XG config, perhaps something got screwed-up along the way? Strange that only port 5060 should be affected.

  • 0 in reply to Neil_Evolve

    OK, I got your point. I believed until now the traffic was working but you didn't see the rule getting hit that allowed it.

    So the controller will not go outside to PBX or is it the phones not reaching their internal phone controller?

    Maybe that the SIP support was enabled on the console and the packets beeing consumed by the XG but AFAIK this is disabled per default. Other thing is, the traffic was denied due some Violation but this can be easily seen on packet capture on the web admin.

    Hope you will figure it out the next time you work on that project.

  • +1

    Thanks to everyone for their input.

    It turned out to be a static route on the switch that routed all outbound SIP traffic to the internal address of the old firewall. I hadn't noticed, but we were seeing inbound traffic only.