I'm having some real issues on a Sophos XG210 getting traffic to be matched by a full firewall rule.
I have several networks which are routed at L3 on an EX3300 switch. The switch passes the traffic up to the XG210 where it should then get evaluated and forwarded/dropped out of the required gateways.
For most traffic this works. However there are a number of instances where the firewall is not matching the traffic to the rules created.
I have one rule:
SecurityPolicy transactionid="">
<Name>1-ADMIN_V4</Name>
<Description>Devices on ADMIN_V4 subnet outbound access</Description>
<IPFamily>IPv4</IPFamily>
<Status>Enable</Status>
<Position>After</Position>
<PolicyType>User</PolicyType>
<After>
<Name>Latitude Routing</Name>
</After>
<SourceZones>
<Zone>LAN</Zone>
</SourceZones>
<DestinationZones>
<Zone>WAN</Zone>
</DestinationZones>
<Schedule>All The Time</Schedule>
<LogTraffic>Enable</LogTraffic>
<Action>Accept</Action>
<MatchIdentity>Enable</MatchIdentity>
<ShowCaptivePortal>Disable</ShowCaptivePortal>
<ScanFTP>Enable</ScanFTP>
<ScanHTTP>Disable</ScanHTTP>
<ScanHTTPS>Disable</ScanHTTPS>
<Sandstorm>Disable</Sandstorm>
<DataAccounting>Disable</DataAccounting>
<PrimaryGateway>CELLweaver</PrimaryGateway>
<RewriteSourceAddress>2</RewriteSourceAddress>
<DSCPMarking>-1</DSCPMarking>
<ApplicationControl>Allow All</ApplicationControl>
<ApplicationControlInternetScheme>Disable</ApplicationControlInternetScheme>
<ApplicationBaseQoSPolicy>Revoke</ApplicationBaseQoSPolicy>
<WebFilter>Allow All</WebFilter>
<WebFilterInternetScheme>Disable</WebFilterInternetScheme>
<WebCategoryBaseQoSPolicy>Revoke</WebCategoryBaseQoSPolicy>
<IntrusionPrevention>LAN TO WAN</IntrusionPrevention>
<TrafficShappingPolicy>None</TrafficShappingPolicy>
<SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat>
<MinimumSourceHBPermitted>No Restriction</MinimumSourceHBPermitted>
<DestSecurityHeartbeat>Disable</DestSecurityHeartbeat>
<MinimumDestinationHBPermitted>No Restriction</MinimumDestinationHBPermitted>
<SourceNetworks>
<Network>1-ADMIN_V4</Network>
</SourceNetworks>
<Identity>
<Member>group1</Member>
<Member>group2</Member>
<Member>group3</Member>
<Member>group4</Member>
<Member>group5</Member>
</Identity>
<BackupGateway>VSAT via ISR881</BackupGateway>
</SecurityPolicy>
I can route the traffic via my various gateways without issue which suggests the rule is being applied. However, the rule refuses to apply the NAT policy. I have tried EVERY option on NAT policies, MASQ, GatewaySpecific, Override and none of them work.
For example, if I start a ping out to 8.8.8.8, I can read a tcpdump showing the unNATed address being sent to the gateway. The gateway doesn't deal with routing so I never get a reply.
This behaviour seems sticky to machines. Machines that have been on this VLAN but are switched to a new network keep the same behaviour which potentially suggests user issue. All devices have DHCPres with clientless users attached to those addresses.
On top of that, I've got the same behaviour from any devices but only for communication with Apple addresses/ports and NTP. Finally I've got the local interface of a different WAN gateway also sending traffic via this gateway, even when I have this specifically blocked in a rule.
I'm at a loss.
EDIT: It's only some traffic that doesn't get picked up by the rule. For example, when running an 8.8.8.8 ping from one of the machines in question and running a log viewer filter for dst host 8.8.8.8 I do not see the packet. It is visible in a tcpdump in its unNATed state along with the port keepalives:
Port3, OUT: IP 172.20.x.y > 8.8.8.8: ICMP echo request, id 1, seq 1054, length 40
Port3, OUT: IP 172.20.x.y > 8.8.8.8: ICMP echo request, id 1, seq 1055, length 40
Port3, OUT: IP 172.20.x.y > 8.8.8.8: ICMP echo request, id 4, seq 1, length 192
Port3, OUT: IP 172.20.x.y > 8.8.8.8: ICMP echo request, id 4, seq 2, length 192
This thread was automatically locked due to age.
