WebEx Audio

Caldi,

if you are using LAN to WAN, while you are trying to have a webex, have a look at IPS logs on XG and see the IPS rule and Signature matched, so you can write down and remove it from LAN to WAN IPS rule.

Regards

Luk,

thanks for your quick reply.

I just saw a typo in my original post. The intrusion prevention was set to "WAN to LAN" in the policy that allows all outgoing traffic.

I will activate this setting again and log the traffic with filter for ips.

Just to avoid misunderstandings: adding an exception for the web filtering is the right action, but I have added the wrong urls to that exception?

One additional question (maybe a little bit off topic):

Would you recommend to enable the intrusion policy at all for the outgoing rule?

Beside two VPN rules, there is only one further rule (business application rule) allowing some AWS server to connect to a MySQL Database within the LAN. For this rule the same intrusion prevention "WAN to LAN" is enabled.

Thanks for your help

Caldi

Caldi,

if the IPS is blocking the traffic, web exception will not work because is the IPS engine that is blocking your traffic.

Proceed with the IPS log and remove the signature that is blocking the traffic.

Regards

Hallo Luk,

as you suggested, I enabled the intrusion prevention (WAN to LAN) again, and joined a webex meeting and called in via PC.

I've looked into the Sophos Log Viewer and saw the following statements:

I am afraid that the destination IP is not constant. I also saw some log statements with the same signature from the last two days (where I was using WebEx). For each day/webex meeting the destination IP is different.

The local IP of my machine is 10.0.0.118.

Could you please advise how to allow these signature? I am quite new to Sophos Firewalls, I was using Fortinets ...

If I understood you right, I have to add a new IPS Signature (Intrusion Prevension -> Custom IPS Signature)?

But how should the rule look like? Should I use the port as this seems to be constant? Or do you think it's save to use the destination IP address?

again, thanks for your help

caldi

Could anybode please give me a hint how to create the right signature? - thanks

Could anybode please give me a hint how to create the right signature? - thanks

Today is the first time using WebEx with the new XG firewall.

In the log viewer it shows under IPS - Signature Name - LOIC DoS Tool (UDP Traffic)

Then to allow this PROTECT> INTRUSION PROTECTION>IPS POLICIES>Whatever your policy name you use>ADD and Allow the packets for LOIC DoS Tool (UDP Traffic)

Before doing this I could listen to a WebEx without issue, but as soon as I tried to speak all audio would be blocked. (both in and out)

I am also new to XG firewall and would like to know if a 'Custom IPS Signature' specific for WebEx is achievable

I've set up the following but not sure when I can test.

Custom Rule contains:

content:"webex.com";srcport:53;srcport:1270;srcport:5101;srcport:8554;srcport:7500;srcport:7501;srcport:9000;srcport:9001;

based on https://it.cornell.edu/webex/webex-technical-requirements

Then added this to my policy.

Edit:

Definitely going the FQDN/new rule route

https://community.sophos.com/kb/en-us/123035 

Hallo,

thanks for your help and sorry for my late reply.

I still feel a little bit alinated.
I was using the default LAN TO WAN policy. I cannot edit this policy.

So I created a new policy based on the LAN TO WAN.
There are several rules applied to this policy. The first one is "Browsers_Officetools_Multimedia_VOIP and Instant Messaging".

Sounds good for me. I am not sure, if I have to check or uncheck the LOIC DOS Tool (UDP) signature for this rule?
Is it enough to check (or uncheck) the signature for this rule? Or must this be done for every rule within the policy?

Thanks.