This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How the firewalls rules works ?

I'm evaluating Sophos XG Home and I can't understand how the packets are going through the rules

In fresh install (18.5.2) I added few custom rules:

- first with source : LAN / networks - Any / Schedule - Al the time, and destination : WAN / networks - *.DOMAIN_NAME / services - Any, everything else (web filtering, app control ) disabled

- second with source LAN / Any / All the time , and destination WAN / Any / Any with settings "Match known users" and "Use web auth for unknown users"

For my understanding all the traffic going to www.DOMAIN_NAME should be allowed by the first rule and any other should be catched by second rule and allowed after successful authentication by the user - I'm wrong ? Because it is not working like that ....

Looking at log I see that traffic to www.DOMAIN_NAME is catched by second rule and even I'm not looged in and some packets are denied and few seconds later allowed .. :(

I'm making mistake in configuration or don't understand how it works ?

Greetings

This thread was automatically locked due to age.

0 rfcat_vk over 3 years ago

Hi Anton,

what is the order of the rules, they are processed from top down? Using the match known users requires you to create users. When trying out rules it is best to leave the user security checking alone until you are happy with the process.

Are you using linked NAT rules, that will cause some confusion for a beginner as well?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Anton Szuk over 3 years ago in reply to rfcat_vk

Hi,

this is my expectation that they are processed from top according to the number in the first column ( # ) and not according to the column ID where for example #Default_Network_Policy has #5 which is lower than numbers for custom policies created by myself

I have the users account with proper time schedule and so on - this part works like a charm but what I want to achieve is that some pages/services are reachable all the time without authentication

I dont use NAT rules - I was even wondering if this is a problem that I have none of them ....
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 3 years ago in reply to Anton Szuk

Hi,

unless you have routable IP address ranges internally, you need at least one default masq nat rule that will basically provide access for all rules.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Wayne Folta over 3 years ago

How/where did you enter *.DOMAIN_NAME? I'm wondering if someplace allowed you to enter it but doesn't see it as a wildcard. Was this. in the FQDN tab?
Cancel
Vote Up 0 Vote Down

Cancel
0 Anton Szuk over 3 years ago in reply to Wayne Folta

Yes, in the FQDN tab but DOMAIN_NAME is a generic name - I have few of them for example *.i3d.net

in this case is something strange because blocked IP (213.163.93.109) is solved by nslookup as hosted-by.i3d.net but if you try to ping it you get unknown host :(
Cancel
Vote Up 0 Vote Down

Cancel
0 Anton Szuk over 3 years ago in reply to rfcat_vk

this one created by default - #NAT_Default_Network_Policy is enough ? or I need to created one for my every custom policy ?
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 3 years ago in reply to Anton Szuk

Hi,

for what you testing the default is good

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Wayne Folta over 3 years ago

What you're describing seems correct. So somehow you may be thinking you've done something that you haven't. Could you provide screen captures to show your firewall rules, the FQDN, etc? Obviously black out if any serial numbers or other sensitive information appear -- or crop the capture down.
Cancel
Vote Up 0 Vote Down

Cancel
0 Anton Szuk over 3 years ago in reply to Wayne Folta

ok, lets see:

1. one of the default fqdn hosts:

2. it is used in this rule (no user matching and other stuff) - 2nd from the bottom:

3. rules order - rule #9 has user matching enabled:

4. results from LogViewer - this address 34.*.*.123 is a host from googleusercontent.com domain - should be catched by rule #7 but is omitted and then first denied and later allowed by rule #9 ...
Cancel
Vote Up 0 Vote Down

Cancel
0 Anton Szuk over 3 years ago in reply to Wayne Folta

another example:

1. custom domain

2. included in rule #7:

3. notification from LogViewer - this IP is a host from 1e100.net domain:
Cancel
Vote Up 0 Vote Down

Cancel