Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 2191 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Appliance access denied error

Z C

Good Day

We are currently using sophos XG Firewall. We need to whitelist a range of ip addresses in sophos so we can enable mail fetching for our manage engine service desk plus cloud application. After  creating a new firewall rule with the selected ip addressees we received the appliance access denied error message in the sophos log viewer and mails are still blocked. Error message pasted below. Is there any way to allow theses ip addresses through?

Thank you

2022-09-06 14:32:57Firewallmessageid="02002" log_type="Firewall" log_component="Appliance Access" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" nat_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="Port5" in_display_interface="Port5" out_interface="" out_display_interface="" src_mac="************" dst_mac="" src_ip="136.143.187.53" src_country="USA" dst_ip="*.*.*.*.*" dst_country="ZAF" protocol="TCP" src_port="56842" dst_port="993" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"



This thread was automatically locked due to age.
  • +1

    Appliance Access Denied is caused when an IP address sends a packet to a port on the XG that has no destination other than the XG ("appliance") itself. So your log message is saying the 136.143.187.53 sent a packet to the XG on physical Port 5 to TCP port 993 but the XG doesn't have anything (like DNAT on port 993) to tell it where to send this packet. So it assumes the packet is for itself (the "appliance") and since it has no process listening to port 993, it denies the packet.

    The XG does have the ability to listen for mail, though I've never used it (you need an additional license) and don't know anything about it. So my guess is either you turned this on but not on port 993, or you have an internal mail server and need to set up DNAT on port 993 to forward to that mail server.

    I don't think this error would be caused by a "fetch", the connection is being initiated by 136.143.187.53 to TCP port 993. If an inside-the-firewall server were talking to an external machine, the XG would know about this connection and would allow the far end to talk back to the near end.

  • 0 in reply to Wayne Folta

    I manged to add the DNAT rule to the firewall and it is now working. Thank you for your assistance

Unfiltered HTML