Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 12857 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules based on User Group Networks not working after upgrading to 9.501-5

DanielCosta

Our system have one firewall rule that allows a group to access any services on internet. The group is correctly configured with my user. This rule is not working since upgrading to 9.501-5 last friday.

If I add individual users in the firewall rule, I can successfully access all services.

I've already tried creating another group and adding it to the rule but it didn't work. I've tried with other users in the group as well. 

We use the authentication agent on the clients to log in. Other rules based on the groups are working (e.g on the web filter).

I've attached some screens of the admin panel.

 



This thread was automatically locked due to age.
Parents
  • 0

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those above, and explain where the target IP is and what it is.

    Please explain what you do to get the "(User Network)" object to be populated with an IP - are they logging in to a VPN?

    Cheers - Bob

  • 0 in reply to BAlfson

    Sorry about the repeated answers. I've been investigating and found out that ipset relating to the group isn't being filled. Running "ipset list" on the shell:

    Name: 4_NetAaaTiUserGroup
    Type: hash:ip
    Revision: 0
    Header: family inet hashsize 4 maxelem 65536
    Size in memory: 104
    References: 1
    Members:
    [no members listed here]

    Tried creating new groups again and adding them to the firewall rule. The group appears on the ipset listing but without members.

  • 0 in reply to DanielCosta

    It looks like you've found a bug, Daniel.  What does Sophos Support say about this?

    Cheers - Bob

  • 0 in reply to BAlfson

    Actually I can't open a ticket with Sophos Support because this is a home license. 

    I've managed to temporarily fix the issue. I've figured that some users ips were getting into the ipset, but not others. The ones that weren't being added to the ipset were also in the SuperAdmins group. After I removed my user and others from SuperAdmins, my ip was listed in the corresponding ipset for the group that is used by the firewall rule. 

  • 0 in reply to DanielCosta

    That sounds like an important bug, Daniel.  I hope someone with a paid license sees it and finds this thread to learn your workaround - that will help the developers fix the problem.

    Cheers - Bob

Reply Children
No Data