Trying to enable multiple port forwarding to DVR/webserver

Dan,

for DVR you should DNAT and not Web Server (WAF). WAF is a module used to protect web server (80/443) that uses real web server components (iis, apache, tomcat) because there are filters build to protect those components (I do not want to go in deep into explaining how WAF module works).

Anyway you need to open the ports required by the DVR using DNAT template.

Can you share how did you open the DNAT? Please post screenshots.

Regards,

Here are the screenshots of the DNAT. I have two WAN Gateways (originally configured in Active/Backup), and I tried changing them to Active/Active (weighted 100 to 1 so the majority of traffic goes out the primary gateway) and using the DNAT to the second gateway, when I couldn't get it to work on the primary gateway and it still doesn't work. I've tried just about everything I can think of, so any help would be greatly appreciated!

Thanks Dan. Which Gateway is using the security zone where the DVR is attached?

Also the PORT 4 does not any Public IP address?

The Security zone isn't attached to either Gateway; it's a VLAN behind the firewall.

Port 4 does have a public IP, I just removed it from the pictures.

Thanks!

Dan

Ok. Is the XG able to ping the dvr? And viceversa? Make sure that XG knows how to reach that vlan.

Yes, I've confirmed connectivity to/from the DVR to the XG. I don't understand why after implementing these rules a port scan still shows the ports as being closed. Any thoughts?

Thanks - any input is appreciated.

Regards,
Dan

Port scan can be blocked by XG. Try a telnet on those ports.

Who is managing the vlan? Also try to access the required ports externally while you are using the command drop-packet capture from XG console.

Thanks

I manage the network. I was assuming that the port scanners showing the ports closed where correct, since the DVR app won't connect either. I'll connect to another network and verify with telnet.

Thanks

I verified remotely last night, using telnet, that the ports I designated using the DNAT rules are not open.  So apparently the issue isn't with my rules; the XG just isn't opening the ports. I'm going to try a reboot after hours tonight and re-test. If the DNAT rules still aren't working then I'll open up a case with support and hope someone gets back to me who can actually help resolve the issue. I'll update if I get a resolution. Thanks for your input.

Dan,

send me a PM and I will try to help you.

Regards

I have connected to Dan Environment and all the BAR were correclty configured. No mistakes. Dan did not try for a couple of days (it was not working 2 days ago) and magically the XG started to forwarded the traffic from WAN to DVR Device.

It is strange. I remember another guy on the community having the same issue and only after a couple of day XG started to allow traffic from WAN.

I told to Dan to turn the BAR off and on again and test if the traffic is allowed. The other advice was to open a ticket with Sophos Support.

Thanks again to Luk for taking a look. I don't know why, but now the DNAT is working as intended. Last time I tested was on Wednesday and it wasn't working so I reverted my DVR to the old network until I could get this resolved. Then today when Luk logged in I switched the DVR back to the new network and everything is working. Now I know how my users feel when I come to investigate an issue and the computer is no longer acting up! 

I did try disabling and re-enabling the DNAT rules and no change; the firewall is still allowing the traffic. I can open a ticket, but I'm not sure what Sophos support could tell me at this point.

Thanks again to Luk for taking a look. I don't know why, but now the DNAT is working as intended. Last time I tested was on Wednesday and it wasn't working so I reverted my DVR to the old network until I could get this resolved. Then today when Luk logged in I switched the DVR back to the new network and everything is working. Now I know how my users feel when I come to investigate an issue and the computer is no longer acting up! 

I did try disabling and re-enabling the DNAT rules and no change; the firewall is still allowing the traffic. I can open a ticket, but I'm not sure what Sophos support could tell me at this point.