Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 6607 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG550 and firware 16.1 strange issues

MatteoGalvani

Hi all, last week we are migrated from fortigate firewalls to a HA Cluster of Sophos XG 550. We have actually a lot of problems, initially with HTTP SCAN AND IPS actvated on all rules LAN TO WAN, LAN TO DMZ, WAN TO LAN..we had 50% of all the traffic dropped. So we decided to deactivate all the scans, HTTP, FTP and IPS temporarely. That for permit to the user to work.

But with all the scan disabled the things are going a little better but not so much... The XG firewalls are isolating from the network for 15-20 seconds al lot of pc's randomly during the day. That's happen to me to. For example i'm navigate on the Amazon site and the firewall decide to isolate me from the net, the only hosts that i can ping are the host on my nwtwork and the interface of the firewall that is my gateway. That's unfortunately is happening an many many pc on the network. A lof of workstation on our networks are Terminal Server Citrix thinclient and on them the session is disconnected frequently.

 

Some one has tyhe sam issue? Thank you,

 

Matteo



This thread was automatically locked due to age.
Parents
  • 0

    Matteo,

    are you using Sophos Heartbeat? Did you enable it on Firewall Rules? If you try to ping www.google.com or an external address (by IP), does it work?

    How are the CPU and RAM utilization? How many users are behind the XG?

    Did you clean the ARP table once you swapped from Fortinet to XG (because virtual mac address changed from the previous Fortigate Cluster). This is a problem that can occur if you retain the same IP address and you do not clear or check switches mac-address table.

    Let us know.

    Thanks

  • 0 in reply to lferrara

    Hi, thank you for your answer. No i'm not using Heratbeat and in this moment i have no rul with IPS  ora HTTP/FTP scan because i had to many problems ad packets dropped.

    But with IPS disabled i still see packets dropped for:

    fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0
     ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0
     app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0
     max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A

    All rule are "=0"

    CPU=2% Memory=12% so very low.

    I have done the change from fortigate to sophos during the night between Monday and Tuesday, i don't have reset arp table on the switches but i have read that the arp table will be dropped avery 4 hours normally, so today is Friday... (but i will do the reset during lounch time)

    I will update the Firewalls from Firmware 16.01.1 to 16.01.2 and hope that this will solve some problems but actually is really difficult to work.

    We have 400 clients connected internally on different interfaces of the firewall and 350 clients connected from the internet using Citrix Netscaler.

    It happens very oft that the firewall exclude from the net a client totally, so you can only ping the interface of the firewall froma that client and other clients on the same network or sometimes this client can ping other networks but not do dns requests.

    Thank for your help,

     

    Matteo

  • 0 in reply to MatteoGalvani

    How are your clients accessing the XG? are you using the clientless setup, if so do you have enough activated addresses?

    Scanning doesn't seem to affect performance from my limited experience, the IPS plays havoc with throughput. You can't fine tune the IPS by turning off false positives which can also cause problems.

    In IPS you need to go to DOS attacks and disable all.

    What firewall rules do you have in place?

  • 0 in reply to MatteoGalvani

    Matteo,

    your XG550 have enough HW resources to mange your environment. If you have access to switches, check the arp table or reboot the Switches. As suggested, check the dos protection from command line system dos (it should be the command I am out of the office).

    Thanks

Reply Children
No Data