Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 29 subscribers
  • Views 27193 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

A few open ports

JesseTaylor

Hey all -

New user here, just deployed XG on a Zotac CI323.  So far, I am very impressed.

I just deployed the XG into my network here.  To do a little checking, I ran a nmap scan from my Macbook while connected to my phone's hotspot so I'd be coming outside in to my public IP address on the WAN side.

I seem to have 3 ports open.

21/tcp - FTP

80/tcp - HTTP

1720/tcp - h323q931

Can anyone out here in the forums help me understand why these are open?  My default network rule at the bottom of the stack is Source= Any Zone/Any Host, Destination Any Zone/Any Host, Any Service, Drop and Log

Thanks in advance!

Jesse



This thread was automatically locked due to age.
Parents
  • 0

    Default should be Source=Lan/Any Host Dest=WAN/Any Host Accept.  Then just make a non-http business rule for any needed open ports.

    ex.

    Source=WAN/<public ip>/Any Host Dest=LAN/<private IP>/Any Host.  

  • 0 in reply to RobertDavis

    Robert -

    Thank you for the reply, much appreciated.  A few additional thoughts and questions based on your detail.

    1) Are you saying that my default network rule, which is at the bottom of the rule stack, should be LAN/Any -> WAN/Any = Accept?  That as opposed to how I have it currently which is Drop.

    a) This would probably make my life a bit easier, granted, but what is best practice?  I haven't found much with respect to best practice, or examples.

    b) This was how I had it initially, but thought if I really wanted as tight of control on my network (in and out) as I could have, then dropping even outbound LAN traffic that wasn't ruled specifically would be the way to do that.  Perhaps it's too tight?

    c) If I switch this rule to Accept, should I apply IPS on this rule as well, at a minimum?  Is it also fair game to apply Application and Web filtering on this rule to, that way any traffic that hits this rule will have those filtering actions taken as well?  I'm guessing yes, but ...

    2) Your sentence about making a non-http business rule - I am confused, so let me clarify.  I currently have no business rule policies defined - at all.  Yet, seemingly out of the box the XG firewall has FTP (21), HTTP (80), and H323 (1720) ports open.  I have not allowed these ports to be open, therefore they should not be open - but they are.  Why is the big question?  Nor, as far as I know, are there any devices on my internal network that would need these ports and given this isn't a consumer grade firewall/router device and lacks UPnP (I assume), then nothing internally should be able to open them anyway.  So, why does Sophos XG firewall, seemingly by default, have these 3 ports open?  Are you recommending that I need to create a business application rule and specifically close/drop those 3 ports?

    Thought I'd share a high-level photos of my rules at this point.  In case it might help.

    Thanks a ton for your help Robert.  I think I'm having a little bit of "switching from consumer grade good enough stuff over to this more robust Sophos XG" learning curve challenges is all. 

    I'd love to find some best practice type document someplace.  Anything out there?

    Jesse

  • 0 in reply to JesseTaylor

    OK. If you are trying to block outbound also, that should be correct.  Easy check would be to disable all but the default and make sure nothing goes out.  You can then enable only the HTTP out  There are websites that will can ports on you ip. 

Reply Children
No Data