Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 29 subscribers
  • Views 2183 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How the firewalls rules works ?

Anton Szuk

I'm evaluating Sophos XG Home and I can't understand how the packets are going through the rules Disappointed

In fresh install (18.5.2) I added few custom rules:

- first with source : LAN / networks - Any /  Schedule - Al the time,  and destination : WAN / networks - *.DOMAIN_NAME  / services - Any, everything else (web filtering, app control ) disabled

- second with source LAN / Any / All the time , and destination WAN / Any / Any with settings "Match known users" and "Use web auth for unknown users"

For my understanding all the traffic going to www.DOMAIN_NAME should be allowed by the first rule and any other should be catched by second rule and allowed after successful authentication by the user - I'm wrong ? Because it is not working like that ....

Looking at log I see that traffic to www.DOMAIN_NAME is catched by second rule and even I'm not looged in and some packets are denied and few seconds later allowed ..  :( 

I'm making mistake in configuration or don't understand how it works ?

Greetings



This thread was automatically locked due to age.
  • 0

    Hi Anton,

    what is the order of the rules, they are processed from top down? Using the match known users requires you to create users. When trying out rules it is best to leave the user security checking alone until you are happy with the process.

    Are you using linked NAT rules, that will cause some confusion for a beginner as well?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi,

    this is my expectation that they are processed from top according to the number in the first column ( # ) and not according to the column ID where for example #Default_Network_Policy has #5 which is lower than numbers for custom policies created by myself

    I have the users account with proper time schedule and so on - this part works like a charm but what I want to achieve is that some pages/services are reachable all the time without authentication

    I dont use NAT rules - I was even wondering if this is a problem that I have none of them  ....

  • 0 in reply to Anton Szuk

    Hi,

    unless you have routable IP address ranges internally, you need at least one default masq nat rule that will basically provide access for all rules.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    How/where did you enter *.DOMAIN_NAME? I'm wondering if someplace allowed you to enter it but doesn't see it as a wildcard. Was this. in the FQDN tab?

  • 0 in reply to Wayne Folta

    Yes, in the FQDN tab but DOMAIN_NAME is a generic name - I have few of them for example *.i3d.net

    in this case is something strange because blocked IP (213.163.93.109) is solved by nslookup as hosted-by.i3d.net but if you try to ping it you get unknown host :(

  • 0 in reply to rfcat_vk

    this one created by default - #NAT_Default_Network_Policy is enough ? or I need to created one for my every custom policy ?

  • 0 in reply to Anton Szuk

    Hi,

    for what you testing the default is good

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    What you're describing seems correct. So somehow you may be thinking you've done something that you haven't. Could you provide screen captures to show your firewall rules, the FQDN, etc? Obviously black out if any serial numbers or other sensitive information appear -- or crop the capture down.

  • 0 in reply to Wayne Folta

    ok, lets see:

    1. one of the default fqdn hosts:

    2. it is used in this rule (no user matching and other stuff) - 2nd from the bottom:

    3. rules order - rule #9 has user matching enabled:

    4. results from LogViewer - this address 34.*.*.123 is a host from googleusercontent.com domain - should be catched by rule #7 but is omitted and then first denied and later allowed by rule #9 ... 

  • 0 in reply to Wayne Folta

    another example:

    1. custom domain

    2. included in rule #7:

    3. notification from LogViewer - this IP is a host from 1e100.net domain:

Cookie Information Banner