Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 521 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Very Strange Routing / NAT Behavior of XG 550 18.5 MR-3

BeEf

Hello,

we notice very strange behaviour of our Firewall.

When connecting a Device on the network we see that we can ping devices in directly on the firewall attached devices without any issues. For the internet and networks that are connected indirectly (2 or more stage routing) we see that it takes 1-3 minutes until packets are going through. The drppkt shows that the packets are dropped on the firewall. 

The packets are hitting the internal interface of the firewall but for these 1-3 minutes they are not routed to the other site / into the other network.



(left: Internet; middle: ip of the firewall; right: indirect connected network)

With drppkt I can see packets that are dropped on the firewall e.g. to 8.8.8.8


2022-04-13 13:38:40 0110021 IP 10.22.208.129. > 8.8.8.8. :proto ICMP: echo request seq 9743
0x0000: 4500 003c 9f49 0000 7e01 b2d0 0a16 d081 E..<.I..~.......
0x0010: 0808 0808 0800 274b 0002 260f 6162 6364 ......'K..&.abcd
0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
0x0030: 7576 7761 6263 6465 6667 6869 uvwabcdefghi
Date=2022-04-13 Time=13:38:40 log_id=0110021 log_type=Firewall log_component=Identity log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=LAG02.120 out_dev=LAG01.4001 inzone_id=1 outzone_id=2 source_mac=70:10:6f:25:23:00 dest_mac=c8:4f:86:fc:00:0b bridge_name= l3_protocol=IPv4 source_ip=x.x.x.x dest_ip=8.8.8.8 l4_protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=43 policytype=1 live_userid=0 userid=65535 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=1 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=2 connid=2634883520 masterid=0 status=256 state=0, flag0=18017422168555528 flags1=8796629893120 pbdid_dir0=5 pbrid_dir1=0

We have 2 LAG. One of them connects DMZ and WAN of 2 Provides (several networks with public IP addresses).



The second connects the corporate network on the central site and and via MPLS other sites. There are also IPSec VPNs and Remote Dial-Ins.





Regards,
BeEf



This thread was automatically locked due to age.
  • 0

    Do you use STAS? Then deactivate the STAS Quarantine. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello LuCar Toni,

    thanks. Deactivating this helped.

    Yes, indeed we are using STAS. I disabled the STAS Quarantine and this looks better now. When has this been introdurced? I can not remember that it was there when we configured STAS 1-2 years ago (maybe I am wrong). I am also not sure what actually triggered the change in behaviour 1-2 Months ago. One of the latest updates (18.0 MR-4 -> 18.5 MR-2 -> 18.5 MR-3)?

    So the default behaviour of this would be to block connection to the internet and routing on the firewall as long as the user is not verified or the timeout of quarantine (default is 120s) is not reached?

    So we definitely have an user detection issue which sometimes works and sometimes not (even with the same user). Looking into the logs we see that sometimes an log entry has an user and sometimes not.

    We also use Sophos Endpoint Protection which should also provide the logged in user to the firewall. What are the priorities if you are using both (although the results should be the same except maybe in a terminalserver environment or a server wher multiple users are logging in).

    Regards,
    BeEf

  • 0 in reply to BeEf

    Essentially this feature should be enabled per default for years but most likely recommended to be turned off.

    Our STAS best Practice Guide recommends to turn it off: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125318/sophos-xg-firewall-best-practice-for-stas

    Note: Details about "Restrict client traffic during identity probe" can be found in section "Drop timeout in Learning Mode" of Sophos KBA https://support.sophos.com/support/s/article/KB-000035730

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

     Worked without quarantine timeout.

    However users are changing between LAN and WLAN frequently. Some of them are even connected to both networks which usually mean they are using LAN.

    In this case the user can not be identified securely on both connection as no Kerberos reauthentication is needed when changing the networks ?!

    So there would be no way to use userbased policies in this case (only one IP is identified)?

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?