Anyone successfully running Crashplan backups through an XG?

Question

Greetings! 
 I recently replaced a UTM 120 with an XG 125. Crashplan Pro (usually running on ports 443 and 4242) hasn't worked since. Taking the XG out of the loop allows communication, so it's definitely something with the new unit's config, but even if I allow all traffic out and disable HTTP/HTTPS scanning, it won't communicate. Any suggestions? 
 Thanks, 
 Peter

Joffer · Accepted Answer

Ok so I finally got this working on my side, for Crashplan for Home (v4.5.2). 
 I made a case with Crashplan Support, reffering to this thread as well. This is what I got back: 
 The only FQDN I think you should need is your server address: 
 arb-msp.crashplan.com:4285 
 This is definitely an odd issue, and certainly seems like something to talk to Sophos about. Your firewall shouldn't be blocking things you tell it not to block. 
 I had already created a FQDN Group with all crashplan FQDNs I could find in the logs: 
 
 arb-msp.crashplan.com 
 central.crashplan.com 
 reflector.crashplan.com 
 www.crashplan.com 
 
 I then created a new 'User/Network Rule' like this: 
 Rule Name = CrashPlan 
 Identity 
 
 Match rule based on user Identity = Off 
 
 Source 
 
 Zone = LAN 
 Networks = Any 
 Service = Any 
 Schedule = All The Time 
 
 Destination 
 
 Zone = WAN 
 Networks = FQDNgroup-CrashPlan 
 
 Action = Accept 
 Routing = Default (Masq) 
 Malware Scanning = Default (off) 
 Policy for User Applications 
 
 Application Control = None 
 Web Filter = None <-- THIS NEEDS TO BE TOTALLY DISABLED. "Allow All" doesn't work. 
 Intrusion Prevention = None 
 Traffic Shaping Policy = None 
 
 Log Traffic (optional) 
 Security Heartbeat = Off 
 The most important setting here was that I couldn't connect with Web Filter set to anything but 'None'. Even 'Allow All' didn't work. So it seems to be a bug or problem with the Web Filter . It works with Application Control set to 'Allow All'. 
 I have not investigated other settings, nor removed FQDNs from my FQDN group. Shaping, special ports (only 443 or 4285?) etc could be tested, but nothing I would bother with for my home network. I'm finally getting my computer backed up again after two weeks being blocked.

Joffer · Answer

There is a bug in v16.x which kills the access to Crashplan Central. 
 Forumpost: https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/81482/crashplan-connectivity-issues-with-xg-16/310556?pi2132219853=2&pi2132219849=84 
 tl;dr; Workaround until fixed (maybe need to turn it back on, I don't know): 
 Just log into console and run this 
 console> system application_classification microapp-discovery off

EricWalsh · Answer

You have to creates fqdn host's for the url's CrashPlan in using. You can get the URL from the application by clicking on crashplan central. This does require a little bit of manual management. I create the individual hosts, then add then to a CrashPlan FGDN group. Then apply a LANtoWan policy allowing the group as a destination network and the client will connect.

Per-OlofLitby · Answer

Thanks. 
 Unfortunately that wasn't the problem, I also have a number of interfaces and all of them were checked. I couldn't get the FQDN group policy to resolve the blocking of Crashplan. But after some experimenting I fixed it by creating a policy allowing unrestricted HTTPS access for the server where Crashplan runs. 
 
 This method should be useful in other cases like this [:)]

Shawn Pate · Answer

I created a walk-through for anyone interested: 
 Enable CrashPlan on Sophos Firewall&rsquo;s - Steps 
 
 Disable Microapp Discovery 
 Create FQDN Group 
 Create FQDN&rsquo;s for CrashPlan 
 Create Firewall Rule

Disable Microapp Discovery 
 1.) Connect to the XG firewall via SSH and select option 4 (Device Console) from the menu 
 2.) run this command to disable microapp discovery: system application_classification microapp-discovery off 
 3.) Reboot Firewall 
 
 Create FQDN Group 
 SYSTEM>>> Hosts and Services>>> FQDN Group>>> Add 
 Name: CrashPlan FQDNGroup 
 Description: CrashPlan FQDNGroup 
 
 Create FQDN's for CrashPlan 
 SYSTEM>>> Hosts and Services>>> FQDN Host>>> Add 
 (add each item below) 
 
 Name: CrashPlan www.crashplan.com 
 FQDN: www.crashplan.com 
 FQDN Host Group>>> Add New Item >>> CrashPlan FQDNGroup 
 
 Name: CrashPlan web-bbm-msp.crashplan.com 
 FQDN: web-bbm-msp.crashplan.com 
 FQDN Host Group>>> Add New Item >>> CrashPlan FQDNGroup 
 
 Name: CrashPlan reflector.crashplan.com 
 FQDN: reflector.crashplan.com 
 FQDN Host Group>>> Add New Item >>> CrashPlan FQDNGroup 
 
 Name: CrashPlan edf-sea.crashplan.com 
 FQDN: edf-sea.crashplan.com 
 FQDN Host Group>>> Add New Item >>> CrashPlan FQDNGroup 
 
 Name: CrashPlan cxe-sea.crashplan.com 
 FQDN: cxe-sea.crashplan.com 
 FQDN Host Group>>> Add New Item >>> CrashPlan FQDNGroup 
 
 Name: CrashPlan central.crashplan.com 
 FQDN: central.crashplan.com 
 FQDN Host Group>>> Add New Item >>> CrashPlan FQDNGroup 
 
 Name: CrashPlan arb-msp.crashplan.com 
 FQDN: arb-msp.crashplan.com 
 FQDN Host Group>>> Add New Item >>> CrashPlan FQDNGroup 
 
 Create Firewall Rule 
 PROTECT>>> Firewall>>> Add Firewall Rule>>> User/Network Rule 
 Rule Name: CrashPlan Allow 
 Rule Position: Top 
 
 SOURCE 
 Source Zones* = LAN 
 Source Networks and Devices* = Any 
 
 DESTINATION & SERVICES 
 Destination Zones* = WAN 
 Destination Networks* = CrashPlan FQDNGroup 
 Services* = Any 
 
 IDENTITY 
 Match known users (UNCHECKED) 
 
 MALWARE SCANNING 
 All unchecked 
 
 Leave all other boxes alone and SAVE >>> Finished