Edit zone LAN or add protocol to zone

Chad,

you need to create a proper firewall rule where you allow your BluRay Player to sync with the Public NTP Server. Create a LAN to WAN FIrewall rule where only the bluray player is authorized to update from publick NTP Server (here put the NTP that must be allowed).

The services you find under Device Access are services used by XG itself. For example allow to connect to XG using SSH from VPN zone.

Regards

Hello,

Sorry to say I am a little lost, trying to deprogram my brain from thinking in terms of how UTM did things to XG.

So I need to make a I.P. host for the Blu-Ray player?

I was hoping just to create a rule that allowed NTP (port 123) and from what i read in a Internet post for the blu-ray, I also needed to have port 59000 as well open ( UDP ports 123 and 59000) So I thought I would create a service / protocol UDP 59000 and the NTP and have the firewall allow it out for any and all LAN devices to be able to send out and time sync NTP.

How would a add a object for port 59000? So I can add the service or port 59000 to a rule?

Would this be a rule to allow any LAN device to pull  / update time from any time server on the web?

So I am under firewall,

1. Add firewall rule,

2. user's / Network rule

3. rule name - NTP

4. source zones - LAN

5. source Networks and Devices - Any

6. Duration - all the time

Destination and services

7. Destination Zone - WAN

8. Destination Networks - Any

9. Services - NTP

(I might also need port 59000 open per one post from a guy who did a packet capture to figure out his Blu-Ray issue and said he had to open up both 123 and 59000 for the Samsung to sync up its time. Also from the Blue ray player you do not know and can not see or point it to a time server on the net. Have to look at firewall logs to try to find it. My cheap Linksys backup router, lets the Blu-ray sync fine and work so it is just a matter of getting the rules right and needed ports open.)

10. Identity section ???? - I have set to Any

11. Malware scanning is not check for now.

12. Advanced Section - Recommended settings to use?

13. NAt and Routing has Rewrite source address (Masquerading) checked

14. I have log traffic checked.

create a proper firewall rule where you allow your BluRay Player to sync with the Public NTP Server. Create a LAN to WAN FIrewall rule where only the bluray player is authorized to update from publick NTP Server (here put the NTP that must be allowed).

The services you find under Device Access are services used by XG itself. For example allow to connect to XG using SSH from VPN zone.

Otherwise, if you have time, what or how would you configure the rule and what would the steps be?

Once I get a basic working rule of one thing figured out I can model off it to set new ones, How I learned to do my port forwarding rules and NATting rules to servers behind the UTM.

I will do more reading in the book, By the way I am running the SFVH (SFOS 16.01.2)  of XG.

Chad

Chad,

you should create a restrictive rule always as a best practice.

So create the Bluray device Ip as clientless or as host and then create the firewall rule where you allow the LAN zone where network object is the Bluray device to WAN zone where network objects are the NTP Public servers (even here create host object for each NTP Server IP/DNS name).

Regards,

Chad,

you should create a restrictive rule always as a best practice.

So create the Bluray device Ip as clientless or as host and then create the firewall rule where you allow the LAN zone where network object is the Bluray device to WAN zone where network objects are the NTP Public servers (even here create host object for each NTP Server IP/DNS name).

Regards,

Hello,

I agree, A rule for each device and for each NTP server on the Internet. Only thing is I do not know what the public NTP server on the NET the Blu-ray is trying to access. So as a quick fix, I thought to just make a global NTP rule to allow all hosts out to do NTP. Then once I know what these are I can then create the objects and add more specific rules. And yes as they say, open and allow only what needs to be and close / Deney all the rest.

By the way, per what I wrote for making my global rule to allow any host internal out to the web for NTP, are the noted settings correct for the rule or what might need to be changed to allow anything on the LAN to go out for NTP sync?

Since I only have Netflix and Prime for TV at my home, and I suppose the logging turned on and some things I tried on the XG yesterday, even my old Blu-Ray players with Netflix were having issues and not able to stream Netflix. I connected to the service and saw the choices and my list, and it would start to buffer and stream the data, it just would go for a few moments and then stop saying there is an issue streaming that program. But flipping to the Linksys it worked with out a issue. So something was causing to much delay on the streaming. I have read where the VM machines of XG can have some slowdowns or delays causing some things to time out. I put in place of the XG for testing and so I could watch movies my Linksys home router device, and everything worked just fine.

I am planning to figure out how to have the Samsung Blu-Ray run over the Linksys through the modem and then the rest of my LAN to run through the XG. ( understand I think AT&T allows 6 devices on the Modem and get 6 I.P. addresses from them. So I might be able to isolate things.  I Need to see if my Vlans on the XG will work and I did set management to be allowed from all interfaces except WAN, so I can maybe run the two in parallel with just the Blu-Ray going over the Linksys as a temp workaround so I can still manage the XG and do testing with it. Sadly the management of both devices is on 192.168.2.1 since I wanted the Linksys home router to be a drop in fit as emergency backup to UTM / XG system. Less on my days off where I am not watching TV, I can flip back to XG and do testing and then if needed flip back to the home router.

By the way I am running ESXi 5.5 on a HP ML370 Gen 5, dual quad core system, I think CPUs running at 2.3ghz. I have the XG running on my Solid State raid 5 volume with one core and 6 megs ram. I would think this would not cause as much delay. The ESXi OS is on a seperate 500gig mirror volume and the rest of the VMs are on a seperate 5.5 gig raid 5 volume and on different RAID controller. I have 2 seperate controllers per drive cage. I don't have many cores to spare for all my VMs. So I am sure not having 4 cores on the XG vm can be a factor. I might when I get the rules and settings all figured out and working to maybe move the XG to one of my Gen 6 or Gen 7 Servers that are dual Quad Core.  Though only 1 cpu will be used, but it's a backup cpu in the system I guess it could fail over to.

Chad