Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 946 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Flow: Firewall and NAT

IT Hero

Hello folks,

Every time I need to create a NAT rule I must go back to the Sophos video that explains it. The reason - I can't remember it because it is so counter intuitive. I hope you can help me figuring out a few key moments. 

The video:

1) A long time ago there was a pinned post in the community, that outlined the foundation and main rules to follow when configuring Sophos Firewalls. One of them dictated to never use Interfaces, where the Network definition was expected (IP). Indeed, I've seen a lot of cases where instead of #Port 2 you created/used the IP definition for hte same WAN, and everything worked like a charm.

In this video, however (@12:23), the instructor is using the alias for the WAN interface in the firewall rule. She does the same thing when creating the NAT @13:38.

Q: So is it OK now to use interfaces under Source and Destination Networks when creating the Firewall and NAT rules?

2) Let's rewind back to @12:23 when the instructor creates the firewall rule for DNAT.

Destination zone: LAN ("as that is the location of the actual Webserver"). OK...

Destination Networks: interface Port6:0 ("because users request traffic will arrive on XG on its WAN interface before it is NATed to Webserver").

Services: <pre NATed service>

So based on the instructor, the firewall rule kicks in before it is NATed to Webserver. I will pretend that I didn't notice the contradiction in the rule that the destination zone = LAN is a post-NAT criteria, but I'll ask the other confusing thing:

Q: I am currently troubleshooting a DNAT (it's not working). During the troubleshooting I am noticing that my DNAT rule counter keeps going up, while the associated firewall rule sits at zero in/out. How is this possible if the firewall rule kicks in before NAT, as per official video?



This thread was automatically locked due to age.
Parents
  • 0

    Essentially you have to understand: There are three different actions of traffic: Routing, Firewalling(Allow/Deny) and NATing (changing the traffic). 

    See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122357/life-of-a-packet-sophos-firewall

    One of the confusions starts, when NAT kicks in, changing the Destination but not the Zone. 

    I have a rule of thumb for this, which worked great for me: Change the Destination Zone, not the Destination IP in the Firewall rule.

    Means: FW Rule IP #Port1 and Zone LAN. This will work. 

    If your firewall is not hitting, it is not matching. Simple as that. So NAT will hit without firewall has to hit. See above. It works independly. So the NAT will do its stuff, and if the firewall denies the traffic (not matching-Default drop) or another rule hits, your rule will not match.

    Check the packet capture on the Webadmin of your firewall to see NAT and FW rule for the traffic. Use the configure - BPF String to dump specifically for your traffic. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I am very familiar with route, firewall and translation. The problem is that I find DNAT configuration not aligning with how the rest of scenarios are configured in the fw rules. When we do MASQ or SNAT, our destination zone and IP are in the same "realm" (i.e. WAN Zone, WAN IP). Same thing with Inter-LAN rules (Destination Zone DMZ, IP will also be in the DMZ). It's only the DNAT that has Zone = Internal and IP = External.

    If the firewall rule is processed before NAT, then there is no way the packet can match the LAN zone without being translated first.

    I am sure Sophos has an implementation that makes it all work, perhaps some sort of NAT "simulation" right before the FW rule that doesn't actually translate the DstIP, but only "checks" in which zone the packet would land after translation, so that the firewall can process it as Dst.Zone=LAN. The question is  - why it's not doing the same thing with the IP address and the service?

    It just doesn't make sense to me that "we indicate LAN zone becasue that's what is going to happen after translation, but we indicate WAN IP and pre-NAT service right in the same rule, because that's what will happen before translation.

    Also this - 

    The link you provided confirms once again that the ingress order of processing of a packet is DoS > FW Rules > DNAT > Route. If the firewall rule isn't hitting and the packet is discarded, then how come I am seeing NAT counters go up? I have no other inbound rules allowing WAN>LAN. The packet is discarded 100%

  • 0 in reply to IT Hero

    You are right with "it is so counter intuitive" for creating DNAT rules.

    Because of this, i use the DNAT- wizzard every time and has 0 problems (but i delete the 1-2 additional unnecessary NAT rules)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0 in reply to IT Hero

    You are right with "it is so counter intuitive" for creating DNAT rules.

    Because of this, i use the DNAT- wizzard every time and has 0 problems (but i delete the 1-2 additional unnecessary NAT rules)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
No Data
Unfiltered HTML