This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos FW XG SSL/TLS Decryt - game Diablo 2 not connecting to server

Hello everyone.

I have Sophos XG in my home. I created all the rules and activated all protections IPS , ATP , SSL/TLS Decrypt etc. In local TLS exclusion list i added Battle-net , Blizzard and other games i play. When SSL/TLS decrypt is on Diablo 2 Resurected can't connect to server. Other games are fine. I run netstat for the game only and found some IPs that game is connecting "when SSL/TLS decrypt is off" and all is fine. I added them to TLS exclusion list and still not working. Log viewer logs this Ïnvalid traffic"for IP 37.244.28.104 port 80. This IP is also in TLS exclusion list. Battle.net and Blizzard.com are also in the TSL exclusion list. WEB category GAMES is also in the SSL/TLS exclusion list and still no working. What else could i check and allow. I tryed to turn off IPS , ATP and no change. Only SSL/TLS when it is off then all is fine. There are no error in SSL/TLS inspection log. The only error is Invalid traffic to 37.244.28.104 port 80. This is when i try to start the game and connect to server.

This thread was automatically locked due to age.

Top Replies

Stanislav Bonev over 2 years ago in reply to Stanislav Bonev +1 verified

Fixed. I investigated on the Firewall application usage. In the list i found Blizzard. Then i got list of all IP for this application and added them to TLS/SSL exclusion list. There were a few more. And…

Parents

0 Vivek Jagad over 2 years ago
Hello Stanislav Bonev ,

Thank you for reaching out to the community, Diablo 2 needs the following ports TCP - 4000, 6112, On the CLI, select option 4.) Device console.

Run the following command: console> show advanced-firewall.

You can reduce the number of invalid traffic events logged by increasing the Tcp Connection Establishment Idle Timeout value. For example, you can increase the timeout to 6 hours (21600 seconds):

set advanced-firewall tcp-est-idle-timeout 21600
Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Stanislav Bonev over 2 years ago in reply to Vivek Jagad

Hello ,

Tryed this not working. The problem is not in the invalid traffic reporting. It is reporting right. But why it still gives error on that IP as i added it top SSL/TLS exclusion list. It is not about time out. I start the game and it refuses to connect to game server. And it is not FW rule for sure. I tried with rule on specifically for this connection on top. It is like game make connection ot the IP. The ACK is completed and 1 second after that remote server drops the connection. It does not like probably the traffic that goes there.

Regards.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 2 years ago in reply to Stanislav Bonev

Can you share the screenshot of FW rule you created ?
besides have you created IP/domains into the exception under the Web > exception and check if the issue still persist?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Stanislav Bonev over 2 years ago in reply to Vivek Jagad

Yes i tried to add it to web exceptions.I added there all the IPs i could find for this game and same. The rules are ok. All is working all protection is on. And even when all exceptions are made the same Sophos reports invalid traffic for the same IP. "Could not associate packet to any connection."
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 2 years ago in reply to Stanislav Bonev

"Could not associate packet to any connection." - You can refer the Invalid traffic events.
Check the current default - value should be 10800 you can increase that 6 hours (21600 seconds) as suggested above !

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Stanislav Bonev over 2 years ago in reply to Vivek Jagad

Yes i made this change and nothing. I tryed to see anything in conntrack but nothing special. Only i see for this packet that are not OFF LOADED. So they still go to DPI engine.
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 2 years ago in reply to Stanislav Bonev

Interesting, try bypassing - firewall rule for application classification and advanced threat protection (ATP)
Refer the article - https://support.sophos.com/support/s/article/KB-000038900?language=en_US
see if this helps...

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vivek Jagad over 2 years ago in reply to Stanislav Bonev

Interesting, try bypassing - firewall rule for application classification and advanced threat protection (ATP)
Refer the article - https://support.sophos.com/support/s/article/KB-000038900?language=en_US
see if this helps...

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Stanislav Bonev over 2 years ago in reply to Vivek Jagad

Just tried this and no result. I tryed with all IPS and ATP off in the firewall. This is what i have got from conntrack. My LAN to WAN rule ID is #1.

SNAT id is #2

[NEW] proto=tcp proto-no=6 timeout=120 state=SYN_SENT orig-src=10.10.10 .200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 [UNREPLIED] reply-src =37.244.28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 mark=0x80 01 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpn id=0 webfltid=12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwi d=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002360000 a flags1=0xd0020a00717 flagvalues=1,3,21,22,24,25,29,41,43,55,60,64,65,66,68,72, 73,74,85,87,93,104,106,107 catid=0 user=8 luserid=1 usergp=2 hotspotuserid=0 hot spotid=0 dst_mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstamp=16806992 21 microflowid[0]=1671 microflowrev[0]=10 microflow[1]=INVALID hostrev[0]=1 host rev[1]=0 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=3662 current_state[1]=0 vlan_id=0 inmark =0x0 brinindex=0 sessionid=5179 sessionidrev=17425 session_update_rev=1 dnat_don e=0 upclass=0:0 dnclass=0:0 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 saidx[0]=0 saidx[1 ]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFLOADED
[UPDATE] proto=tcp proto-no=6 timeout=60 state=SYN_RECV orig-src=10.10.10. 200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 reply-src=37.244.28.10 4 reply-dst=***************** reply-sport=80 reply-dport=40132 mark=0x8001 id=2492894 499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpnid=0 webfltid =12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwid=0 appid=0 a ppcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=2 de vinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002360000a flags1=0xd0 020a00717 flagvalues=1,3,21,22,24,25,29,41,43,55,60,64,65,66,68,72,73,74,85,87,9 3,104,106,107 catid=0 user=8 luserid=1 usergp=2 hotspotuserid=0 hotspotid=0 dst_ mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstamp=1680699221 microflowi d[0]=1671 microflowrev[0]=10 microflowid[1]=6225 microflowrev[1]=52 hostrev[0]=1 hostrev[1]=1 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=0 sess_verdi ct=0 gwoff=0 cluster_node=0 current_state[0]=3662 current_state[1]=3662 vlan_id= 0 inmark=0x0 brinindex=0 sessionid=5179 sessionidrev=17425 session_update_rev=1 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profile id[1]=0 nhop_id[0]=10 nhop_id[1]=65535 nhop_rev[0]=2 nhop_rev[1]=0 saidx[0]=0 sa idx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFLOADED
[UPDATE] proto=tcp proto-no=6 timeout=21600 state=ESTABLISHED orig-src=10. 10.10.200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 reply-src=37.244 .28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 [ASSURED] mark=0 x8001 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 ssl vpnid=0 webfltid=12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzon e=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002360 000a flags1=0xd0020a00717 flagvalues=1,3,21,22,24,25,29,41,43,55,60,64,65,66,68, 72,73,74,85,87,93,104,106,107 catid=0 user=8 luserid=1 usergp=2 hotspotuserid=0 hotspotid=0 dst_mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstamp=16806 99221 microflowid[0]=1671 microflowrev[0]=10 microflowid[1]=6225 microflowrev[1] =52 hostrev[0]=1 hostrev[1]=1 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqu eue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=3662 current_state[ 1]=3662 vlan_id=0 inmark=0x0 brinindex=0 sessionid=5179 sessionidrev=17425 sessi on_update_rev=1 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid[0]=0 pbrid[1]=0 profil eid[0]=0 profileid[1]=0 nhop_id[0]=10 nhop_id[1]=20 nhop_rev[0]=2 nhop_rev[1]=0 saidx[0]=0 saidx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id= NOT_OFFLOADED
[UPDATE] proto=tcp proto-no=6 timeout=120 state=FIN_WAIT orig-src=10.10.10.200 orig-dst=37.244.28.104 orig-sp ort=40132 orig-dport=80 reply-src=37.244.28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 [ASSURED] m ark=0x8001 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpnid=0 webfltid=12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwid=20 appid=1979 appcatid=2 hbappid=0 hbappcatid=0 dpioffload=0 x2 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002361000a flags1=0x d0024a10717 flagvalues=1,3,16,21,22,24,25,29,41,43,55,60,64,65,66,68,72,73,74,80,85,87,90,93,104,106,107 catid=22 u ser=8 luserid=1 usergp=2 hotspotuserid=0 hotspotid=0 dst_mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstamp =1680699221 microflowid[0]=1671 microflowrev[0]=10 microflowid[1]=6225 microflowrev[1]=52 hostrev[0]=2 hostrev[1]=2 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=366 2 current_state[1]=3662 vlan_id=0 inmark=0x0 brinindex=0 sessionid=5179 sessionidrev=17425 session_update_rev=7 dna t_done=0 upclass=2:9 dnclass=2:9 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=10 nhop_id[1]=20 nh op_rev[0]=2 nhop_rev[1]=0 saidx[0]=0 saidx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFLO ADED
[UPDATE] proto=tcp proto-no=6 timeout=10 state=CLOSE_WAIT orig-src=10.10.10.200 orig-dst=37.244.28.104 orig-s port=40132 orig-dport=80 reply-src=37.244.28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 [ASSURED] mark=0x8001 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpnid=0 webfltid=12 appfltid= 6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwid=20 appid=1979 appcatid=2 hbappid=0 hbappcatid=0 dpioffload= 0x2 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002361000a flags1=0 xd0024a10717 flagvalues=1,3,16,21,22,24,25,29,41,43,55,60,64,65,66,68,72,73,74,80,85,87,90,93,104,106,107 catid=22 user=8 luserid=1 usergp=2 hotspotuserid=0 hotspotid=0 dst_mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstam p=1680699221 microflowid[0]=1671 microflowrev[0]=10 microflowid[1]=6225 microflowrev[1]=52 hostrev[0]=2 hostrev[1]= 2 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=36 62 current_state[1]=3662 vlan_id=0 inmark=0x0 brinindex=0 sessionid=5179 sessionidrev=17425 session_update_rev=7 dn at_done=0 upclass=2:9 dnclass=2:9 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=10 nhop_id[1]=20 n hop_rev[0]=2 nhop_rev[1]=0 saidx[0]=0 saidx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFL OADED
[DESTROY] proto=tcp proto-no=6 orig-src=10.10.10.200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 packets=5 bytes=302 reply-src=37.244.28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 packets=3 bytes=720 [ASSURED] mark=0x8001 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpnid=0 webfltid=12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwid=20 appid=1979 appcatid=2 hbappid=0 hbappcatid=0 dpioffload=0x2 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002361000a flags1=0xd0024a10717 flagvalues=1,3,16,21,22,24,25,29,41,43,55,60,64,65,66,68,72,73,74,80,85,87,90,93,104,106,107 catid=22 user=8 luserid=1 usergp=2 hotspotuserid=0 hotspotid=0 dst_mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstamp=1680699221 microflowid[0]=1671 microflowrev[0]=10 microflowid[1]=6225 microflowrev[1]=52 hostrev[0]=2 hostrev[1]=2 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=3662 current_state[1]=3662 vlan_id=0 inmark=0x0 brinindex=0 sessionid=5179 sessionidrev=17425 session_update_rev=7 dnat_done=0 upclass=2:9 dnclass=2:9 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=10 nhop_id[1]=20 nhop_rev[0]=2 nhop_rev[1]=0 saidx[0]=0 saidx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFLOADED
^Cconntrack v1.4.5 (conntrack-tools): 6 flow events have been shown.
SFVH_SO01_SFOS 19.5.1 MR-1-Build278# mark=0x80 01 id=2492894499 masterid=0 devin=
Port1 devout=Port2 nseid=16778757 ips=5 sslvpn id=0 webfltid=12 appfltid=6 icapid

bappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutinde
x=6 hb_src=0 hb_dst=0 flags0=0x10800a002360000 a flags1=0xd0020a00717 flagvalues=
1,3,21,22,24,25,29,41,43,55,60,64,65,66,68,72, 73,74,85,87,93,104,106,107 catid=0
user=8 luserid=1 usergp=2 hotspotuserid=0 hot
/bin/sh: 01: not found
SFVH_SO01_SFOS 19.5.1 MR-1-Build278# [UPDATE] proto=tcp proto-no=6 timeout=60 state=SYN_RECV orig-src=10.10.10.200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 reply-src=37.244.28.10
4 reply-dst=***************** reply-sport=80 reply-dport=40132 mark=0x8001 id=2492894
499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpnid=0 webfltid

ppcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=2 de
vinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002360000a flags
/bin/sh: [UPDATE]: not found
SFVH_SO01_SFOS 19.5.1 MR-1-Build278# [UPDATE] proto=tcp proto-no=6 timeout=21600 state=ESTABLISHED orig-src=10.10.10.200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 reply-src=37.244
.28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 [ASSURED] mark=0
x8001 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 ssl
vpnid=0 webfltid=12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1
bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzon
e=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a
/bin/sh: [UPDATE]: not found
Cancel
Vote Up 0 Vote Down

Cancel
0 Stanislav Bonev over 2 years ago in reply to Stanislav Bonev

I tryed with ac_atp_exception_fwrules 1 and nothing.
Cancel
Vote Up 0 Vote Down

Cancel
+1 Stanislav Bonev over 2 years ago in reply to Stanislav Bonev

Fixed. I investigated on the Firewall application usage. In the list i found Blizzard. Then i got list of all IP for this application and added them to TLS/SSL exclusion list. There were a few more. And now all works. Also it needed some Google IPs decryption to be excluded. now all works. Thank you for you time and help!

Regards
Cancel
Vote Up +1 Vote Down

Cancel
0 Vivek Jagad over 2 years ago in reply to Stanislav Bonev

Thank you sharing your diagnosis Stanislav Bonev !

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel