Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 837 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos FW XG SSL/TLS Decryt - game Diablo 2 not connecting to server

Stanislav Bonev

Hello everyone.  

  I have Sophos XG in my home. I created all the rules and activated all protections IPS , ATP , SSL/TLS Decrypt etc. In local TLS exclusion list i added Battle-net , Blizzard and other games i play. When SSL/TLS decrypt is on Diablo 2 Resurected can't connect to server. Other games are fine. I run netstat for the game only and found some IPs that game is connecting "when SSL/TLS decrypt is off" and all is fine. I added them to TLS exclusion list and still not working. Log viewer logs this Ïnvalid traffic"for IP 37.244.28.104 port 80. This IP is also in TLS exclusion list. Battle.net and Blizzard.com are also in the TSL exclusion list. WEB category GAMES is also in the SSL/TLS exclusion list and still no working. What else could i check and allow. I tryed to turn off IPS , ATP and no change. Only SSL/TLS when it is off then all is fine. There are no error in SSL/TLS inspection log. The only error is Invalid traffic to 37.244.28.104 port 80. This is when i try to start the game and connect to server.

  



This thread was automatically locked due to age.
Parents
  • 0

    Hello  ,

    Thank you for reaching out to the community, Diablo 2 needs the following ports TCP - 4000, 6112, On the CLI, select option 4.) Device console.

    1. Run the following command: console> show advanced-firewall.

      You can reduce the number of invalid traffic events logged by increasing the Tcp Connection Establishment Idle Timeout value. For example, you can increase the timeout to 6 hours (21600 seconds):

      set advanced-firewall tcp-est-idle-timeout 21600

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hello , 

     Tryed this not working. The problem is not in the invalid traffic reporting. It is reporting right. But why it still gives error on that IP as i added it top SSL/TLS exclusion list. It is not about time out. I start the game and it refuses to connect to game server. And it is not FW rule for sure. I tried with rule on specifically for this connection on top. It is like game make connection ot the IP. The ACK is completed and 1 second after that remote server drops the connection. It does not like probably the traffic that goes there.

      Regards.

  • 0 in reply to Stanislav Bonev

    Can you share the screenshot of FW rule you created ? 
    besides have you created IP/domains into the exception under the Web > exception and check if the issue still persist?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Yes i tried to add it to web exceptions.I added there all the IPs i could find for this game and same. The rules are ok. All is working all protection is on. And even when all exceptions are made the same Sophos reports invalid traffic for the same IP. "Could not associate packet to any connection."

  • 0 in reply to Stanislav Bonev

    "Could not associate packet to any connection." - You can refer the Invalid traffic events.
    Check the current default - value should be 10800 you can increase that 6 hours (21600 seconds) as suggested above !

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Yes i made this change and nothing. I tryed to see anything in conntrack but nothing special. Only i see for this packet that are not OFF LOADED. So they still go to DPI engine.

  • 0 in reply to Stanislav Bonev

    Interesting, try bypassing - firewall rule for application classification and advanced threat protection (ATP)
    Refer the article - https://support.sophos.com/support/s/article/KB-000038900?language=en_US
    see if this helps...

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Just tried this and no result. I tryed with all IPS and ATP off in the firewall. This is what i have got from conntrack. My LAN to WAN rule ID is #1. 

    SNAT id is #2

    [NEW] proto=tcp proto-no=6 timeout=120 state=SYN_SENT orig-src=10.10.10 .200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 [UNREPLIED] reply-src =37.244.28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 mark=0x80 01 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpn id=0 webfltid=12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwi d=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002360000 a flags1=0xd0020a00717 flagvalues=1,3,21,22,24,25,29,41,43,55,60,64,65,66,68,72, 73,74,85,87,93,104,106,107 catid=0 user=8 luserid=1 usergp=2 hotspotuserid=0 hot spotid=0 dst_mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstamp=16806992 21 microflowid[0]=1671 microflowrev[0]=10 microflow[1]=INVALID hostrev[0]=1 host rev[1]=0 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=3662 current_state[1]=0 vlan_id=0 inmark =0x0 brinindex=0 sessionid=5179 sessionidrev=17425 session_update_rev=1 dnat_don e=0 upclass=0:0 dnclass=0:0 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 saidx[0]=0 saidx[1 ]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFLOADED
    [UPDATE] proto=tcp proto-no=6 timeout=60 state=SYN_RECV orig-src=10.10.10. 200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 reply-src=37.244.28.10 4 reply-dst=***************** reply-sport=80 reply-dport=40132 mark=0x8001 id=2492894 499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpnid=0 webfltid =12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwid=0 appid=0 a ppcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=2 de vinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002360000a flags1=0xd0 020a00717 flagvalues=1,3,21,22,24,25,29,41,43,55,60,64,65,66,68,72,73,74,85,87,9 3,104,106,107 catid=0 user=8 luserid=1 usergp=2 hotspotuserid=0 hotspotid=0 dst_ mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstamp=1680699221 microflowi d[0]=1671 microflowrev[0]=10 microflowid[1]=6225 microflowrev[1]=52 hostrev[0]=1 hostrev[1]=1 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=0 sess_verdi ct=0 gwoff=0 cluster_node=0 current_state[0]=3662 current_state[1]=3662 vlan_id= 0 inmark=0x0 brinindex=0 sessionid=5179 sessionidrev=17425 session_update_rev=1 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profile id[1]=0 nhop_id[0]=10 nhop_id[1]=65535 nhop_rev[0]=2 nhop_rev[1]=0 saidx[0]=0 sa idx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFLOADED
    [UPDATE] proto=tcp proto-no=6 timeout=21600 state=ESTABLISHED orig-src=10. 10.10.200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 reply-src=37.244 .28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 [ASSURED] mark=0 x8001 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 ssl vpnid=0 webfltid=12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzon e=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002360 000a flags1=0xd0020a00717 flagvalues=1,3,21,22,24,25,29,41,43,55,60,64,65,66,68, 72,73,74,85,87,93,104,106,107 catid=0 user=8 luserid=1 usergp=2 hotspotuserid=0 hotspotid=0 dst_mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstamp=16806 99221 microflowid[0]=1671 microflowrev[0]=10 microflowid[1]=6225 microflowrev[1] =52 hostrev[0]=1 hostrev[1]=1 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqu eue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=3662 current_state[ 1]=3662 vlan_id=0 inmark=0x0 brinindex=0 sessionid=5179 sessionidrev=17425 sessi on_update_rev=1 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid[0]=0 pbrid[1]=0 profil eid[0]=0 profileid[1]=0 nhop_id[0]=10 nhop_id[1]=20 nhop_rev[0]=2 nhop_rev[1]=0 saidx[0]=0 saidx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id= NOT_OFFLOADED
    [UPDATE] proto=tcp proto-no=6 timeout=120 state=FIN_WAIT orig-src=10.10.10.200 orig-dst=37.244.28.104 orig-sp ort=40132 orig-dport=80 reply-src=37.244.28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 [ASSURED] m ark=0x8001 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpnid=0 webfltid=12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwid=20 appid=1979 appcatid=2 hbappid=0 hbappcatid=0 dpioffload=0 x2 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002361000a flags1=0x d0024a10717 flagvalues=1,3,16,21,22,24,25,29,41,43,55,60,64,65,66,68,72,73,74,80,85,87,90,93,104,106,107 catid=22 u ser=8 luserid=1 usergp=2 hotspotuserid=0 hotspotid=0 dst_mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstamp =1680699221 microflowid[0]=1671 microflowrev[0]=10 microflowid[1]=6225 microflowrev[1]=52 hostrev[0]=2 hostrev[1]=2 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=366 2 current_state[1]=3662 vlan_id=0 inmark=0x0 brinindex=0 sessionid=5179 sessionidrev=17425 session_update_rev=7 dna t_done=0 upclass=2:9 dnclass=2:9 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=10 nhop_id[1]=20 nh op_rev[0]=2 nhop_rev[1]=0 saidx[0]=0 saidx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFLO ADED
    [UPDATE] proto=tcp proto-no=6 timeout=10 state=CLOSE_WAIT orig-src=10.10.10.200 orig-dst=37.244.28.104 orig-s port=40132 orig-dport=80 reply-src=37.244.28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 [ASSURED] mark=0x8001 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpnid=0 webfltid=12 appfltid= 6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwid=20 appid=1979 appcatid=2 hbappid=0 hbappcatid=0 dpioffload= 0x2 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002361000a flags1=0 xd0024a10717 flagvalues=1,3,16,21,22,24,25,29,41,43,55,60,64,65,66,68,72,73,74,80,85,87,90,93,104,106,107 catid=22 user=8 luserid=1 usergp=2 hotspotuserid=0 hotspotid=0 dst_mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstam p=1680699221 microflowid[0]=1671 microflowrev[0]=10 microflowid[1]=6225 microflowrev[1]=52 hostrev[0]=2 hostrev[1]= 2 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=36 62 current_state[1]=3662 vlan_id=0 inmark=0x0 brinindex=0 sessionid=5179 sessionidrev=17425 session_update_rev=7 dn at_done=0 upclass=2:9 dnclass=2:9 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=10 nhop_id[1]=20 n hop_rev[0]=2 nhop_rev[1]=0 saidx[0]=0 saidx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFL OADED
    [DESTROY] proto=tcp proto-no=6 orig-src=10.10.10.200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 packets=5 bytes=302 reply-src=37.244.28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 packets=3 bytes=720 [ASSURED] mark=0x8001 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpnid=0 webfltid=12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1 bwid=20 appid=1979 appcatid=2 hbappid=0 hbappcatid=0 dpioffload=0x2 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002361000a flags1=0xd0024a10717 flagvalues=1,3,16,21,22,24,25,29,41,43,55,60,64,65,66,68,72,73,74,80,85,87,90,93,104,106,107 catid=22 user=8 luserid=1 usergp=2 hotspotuserid=0 hotspotid=0 dst_mac=00:d8:61:56:58:9f src_mac=24:4b:fe:5e:9a:bf startstamp=1680699221 microflowid[0]=1671 microflowrev[0]=10 microflowid[1]=6225 microflowrev[1]=52 hostrev[0]=2 hostrev[1]=2 ipspid=0 diffserv=0 loindex=6 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=3662 current_state[1]=3662 vlan_id=0 inmark=0x0 brinindex=0 sessionid=5179 sessionidrev=17425 session_update_rev=7 dnat_done=0 upclass=2:9 dnclass=2:9 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0 nhop_id[0]=10 nhop_id[1]=20 nhop_rev[0]=2 nhop_rev[1]=0 saidx[0]=0 saidx[1]=0 saidx_rev[0]=0 saidx_rev[1]=0 atomic_flags=0x0 conn_fp_id=NOT_OFFLOADED
    ^Cconntrack v1.4.5 (conntrack-tools): 6 flow events have been shown.
    SFVH_SO01_SFOS 19.5.1 MR-1-Build278# mark=0x80 01 id=2492894499 masterid=0 devin=
    Port1 devout=Port2 nseid=16778757 ips=5 sslvpn id=0 webfltid=12 appfltid=6 icapid

    bappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=2 devinindex=5 devoutinde
    x=6 hb_src=0 hb_dst=0 flags0=0x10800a002360000 a flags1=0xd0020a00717 flagvalues=
    1,3,21,22,24,25,29,41,43,55,60,64,65,66,68,72, 73,74,85,87,93,104,106,107 catid=0
    user=8 luserid=1 usergp=2 hotspotuserid=0 hot
    /bin/sh: 01: not found
    SFVH_SO01_SFOS 19.5.1 MR-1-Build278# [UPDATE] proto=tcp proto-no=6 timeout=60 state=SYN_RECV orig-src=10.10.10.200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 reply-src=37.244.28.10
    4 reply-dst=***************** reply-sport=80 reply-dport=40132 mark=0x8001 id=2492894
    499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 sslvpnid=0 webfltid

    ppcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzone=1 outzone=2 de
    vinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a002360000a flags
    /bin/sh: [UPDATE]: not found
    SFVH_SO01_SFOS 19.5.1 MR-1-Build278# [UPDATE] proto=tcp proto-no=6 timeout=21600 state=ESTABLISHED orig-src=10.10.10.200 orig-dst=37.244.28.104 orig-sport=40132 orig-dport=80 reply-src=37.244
    .28.104 reply-dst=***************** reply-sport=80 reply-dport=40132 [ASSURED] mark=0
    x8001 id=2492894499 masterid=0 devin=Port1 devout=Port2 nseid=16778757 ips=5 ssl
    vpnid=0 webfltid=12 appfltid=6 icapid=0 policytype=1 fwid=1 natid=2 fw_action=1
    bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0 sigoffload=0 inzon
    e=1 outzone=2 devinindex=5 devoutindex=6 hb_src=0 hb_dst=0 flags0=0x10800a
    /bin/sh: [UPDATE]: not found

  • 0 in reply to Stanislav Bonev

    I tryed with ac_atp_exception_fwrules 1 and nothing. 

Reply Children
Unfiltered HTML