Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 808 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall and SQL Server Management to Azure SQL

SGICT

Hi,

I have Sophos Firewall v19 and a internally computer that needs to connect to Azure SQL using SQL Server Management tool.

If I create a rule that allows the computer outbound on destination ANY service, it connects, great.

I want to lock it down so I change the destination service to allow just 1433 and it won't connect. Just to add I also allow HTTP, HTTPS and SMTP(s) and there is no restriction to the destination either, thats set to ANY.

I've looked at the firewall viewer, detailed mode and can't see any blocks/drops. I've checked IPS and Advanced Protection.

I must be missing something really obvious so any thoughts or guidance would be fantastic, thank you 



This thread was automatically locked due to age.
Parents
  • 0

    Hello  ,

    Thank you for reaching out to the community, there are couple more SQL Ports which you can allow [create a service definition for TCP 1433, 4022, 135, 1434, UDP 1434.]
    Ensure the rule is on the Top, and under the Security features in the FW rule, use the option "Use web proxy instead of DPI engine" web policy Allow All.  And then check, if the issue still persist, then you can also add that FW rule into the IPS exception by following the guide here - https://support.sophos.com/support/s/article/KB-000038900?language=en_US

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to Vivek Jagad

    Many thanks for your reply, sadly none of them worked. Ive even gone to the length of disabling IPS entirely, testing with all the rules you mentioned. I dont have web filtering on for the FW rule either.

    What I find odd is the firewall logs didnt show any rejects

    I reverted the FW rule so only 1433, 443, 80 and 25 were allowed and I looked at the logs again in detailed mode, all green shield with white tick in (to me suggests its passing through) and noticed I had two entries for when i tried to connect SQL Management tool to Azure SQL but failing.

    Both had the source IP of the computer Im trying to connect from but one source was 1433 and another was 11017. Both were "allowed" by the firewall even though the rule only allowed 1433. I then read this https://learn.microsoft.com/en-us/azure/azure-sql/database/adonet-v12-develop-direct-route-ports?view=azuresql so i added the port range of 11000-11999 and bingo SQL management studio connects.

    What I dont understand is why the firewall is logging the packet for 11017 as successful/allow yet really it wasn't until I added dest services port range 11000 to 11999.

  • 0 in reply to SGICT

    The firewall will open and close ports as required by the connection/application.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thanks but I had to open the ports up outbound to get this working. Looking at Azure SQL documentation it says only 1433 is needed but the link I added suggests the port range as well in one particular scenario. I'm going to discuss this with the SQL guy and see whats going on and post back on here with more info if I can.

    What I still dont understand is why the firewall logs didnt show the blocks

  • 0 in reply to SGICT

    You will need some ports allowed so the initial connection can be established then the firewall does its magic. I suspect you have do not log invalid packets enabled and these would have been classified as invalid.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thank you Ill look into the "do not log invalid packets"

Reply Children
No Data
Unfiltered HTML