Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 1643 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Source Countries are not reported, displaying "Reserved" only

qdrop

Hi.

I'm using the most recent version of Sophos XG Firewall in a virtual Proxmox environment. I'm using it as my internet gateway / router. Therefore I have NAT enabled using the default firewall rule with a linked SNAT rule (MASQ).

I enabled DPI and pretty much like the reports :-). But there is one issue: The source countries are not reported properly:

Furthermore, source and destionation zones report the exact same traffic:

I suspect, that this is some issue or misconfiguration with DPI and NAT.

How can I resolve that?

Best

Thomas



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Vivek Jagad

    Thanks Vitek.

    I already did this, allowing some protocols from Switzerland only:

    Let's Encrypt (80 for HTTP challenge) for instance has to remain accessible from everywhere. These rules work as expected. Also, Rule #5 shows the correct traffic counters: Much more ingress than egress. So from a firewall perspective, everything works as expected. But the Source Countries are not resolved.

Children
  • 0 in reply to qdrop

    Any source using an internal address in the 10, 172.16 or 196.168 will always show as reserved. If you are using IPv6 all addresses are shown as reserved. You would have to be using the whole Swiss allocated IP address ranges which does not make sense also you are only authorising Swiss address which are not the same as your normal internal address ranges. Further your firewall is not very secure with the any zone as source.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi ian.

    I understand - but the source I'm talking about is the global internet: The local host requests a website, the website responds. All of this is NATed / MASQeraded - a pretty default setup. But I'm not able to see, where the Source Country traffic is originating and I'm not able to distinguish source and destination zones.

  • 0 in reply to qdrop

    Just to confuse things XG reverses source and destination addresses.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I also suspect you have tried to put too much into one rule when two or more would help with debug and reporting.

    reading your rules I am having trouble understanding what you are trying to achieve.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    hmm... I don't think my rules are complicated as these where automatically generated by Sophos and are unaltered. The other incoming firewall rules are just for port forwardings (as implied by the group name).

    So basically I just don't get Sophos to properly report incoming masqueraded traffic. That's all and I don't know how to solve that.

  • 0 in reply to qdrop

    Hey

    You can refer the article - 
    How to configure firewall rule and NAT rule on Sophos XG: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/121919/how-to-configure-firewall-rule-and-nat-rule-on-sophos-xg-v18

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Yes, my rules are configured accordingly and work as expected. The only issue I have is that the reports for Source Countries fail to display these and just show "Reserved" instead. Probably because the firewall rule is processed after de packets are rewritten by the NAT...?

  • 0 in reply to qdrop

    Hi,

    please take a step back from your existing rules. If your internal network has unique ip addresses not in the 10 or 172.16 or  192.168 ranges you do not need Nat rules.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Well I use internal IPs: 192.168.X.X. So I have two NATs in place:

    • The standard NAT, that allows communication from inside out and on the way back with MASQ (masquerading internal packets with the external IP and translating those on both directions).
    • The incoming NAT, that allows to expose internal services (nginx, ssh, wireguard, etc...)

    I can't operate that without NAT; how would that work?

  • 0 in reply to qdrop

    You have one rule for outgoing traffic and another rule for incoming traffic I hope?
    you do not need a rule for traffic that is answering a connection request from your lan.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?