Unable to route traffic from Sophos Virtual XG firewall in VMware ESxi

Danish,

please provide a network diagram.

Regards

Dear team ,

Hope you doing well, Thanks for prompt response.

Hardware information.

Internet Service provider modem QTY :1

Switch                                     QTY :1

HP Proliant DL380 G7                 QTY :1

Platform VMware ESXi 6.0 on HP Proliant DL380 G7

ESXi console IP address 192.168.0.200 255.255.255.0 

Gateway 192.168.0.1

Virtual XG Firewall (Gateway mode)

Console acces address https://192.168.0.201:4444

Port A is LAN port IP address  192.168.0.201   // 255.255.255.0

Port B is WAN port IP address assigned by Modem through DHCP

Firewall Role

LAN to WAN  

Default work policy

Regards

Muhammad Danish Saleem

Danish,

if you configure a static IP on a client behind XG (network 192.168.0.0/24 where DG is 192.168.0.201), is the computer able to surf?

Make sure that "match know users" inside the LAN to WAN firewall rule is unchecked.

Thanks

Dear lferrara,

I have also tried on client site through static IP like 192.168.0.18/25 gateway 192.168.0.201 but client unable to surf.

Is their any changes required on WAN modem configuration?

Please if you have some time to take remote session for checking Virtual firewall?

Regards 

Muhammad Danish Saleem

Dear lferrara,

I have also tried on client site through static IP like 192.168.0.18/25 gateway 192.168.0.201 but client unable to surf.

Is their any changes required on WAN modem configuration?

Please if you have some time to take remote session for checking Virtual firewall?

Regards 

Muhammad Danish Saleem

Danish,

the subnet must be 24 and not 25.

Make sure on Vmware you have 2 separated vswitch, one dedicated for WAN and one for LAN.

Regards

lferrara,

Network Traffic has been route from Virtual XG firewall. 

I disable the WAN modem DHCP and enable the DHCP on virtual XG firewall

run the default work policy LAN to WAN and uncheck match known user in firewall role.

but When client the brows any website their is certificate error and website could not be open.

please advise.

Regards

Muhammad Danish Saleem

Danish,

from XG console, are you able to ping www.google.com?

From computers, are you able to execute the same ping?

What DNS are you computer using?

can you share the LAN to WAN firewall rule screenshot?

Thanks

Dear lferrara

WAN modem DHCP Now enable and Firewall DHCP disable.

Traffic can route from FIrewall 

please see the below firewall

Traffic can route from FIrewall but see the result below.

client webpage

Client configuration

Firewall network setting

Danish,

you did not answer all my questions.

Uncheck decrypt and scan or import the Sophos SSL CA inside your browser and the issue will go away.

Regards

Dear lferrara,

Issue still persist

please see the below screenshot of client site broswer certificate setting and firewall end site.

Danish,

check if micro-app scanning is disabled:

https://community.sophos.com/kb/en-us/125458

otherwise open a ticket with Support.