Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 960 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Issues

Peter Evans

Fairly new to Sophos UTM. Having some issues with Firewall Rules.

My setup is as follows

WAN --> Sophos UTM --> Unifi USG (NAT Disabled) --> Subnet1, Subnet2, etc.

 

At the moment I'm having 2 issues. I'm based in the UK. If i enable country blocking for Asia, Aftrica, middle east. Facebook stops working. Checking the logs My device is trying to connect to a facebook server in South Africa?? WTF > There must be closer servers i.e. the ones in Ireland. - If I unblock South Africa it all works. - I've tried to use my ISP DNS as well as Cloudflare and Google. All the same issues.

 

Second Problem which has been driving me nuts. 

I have a firewall rules - any --> any --> any - obviously only used for troubleshooting. With this rule enabled everything works as it should

I have another rule network 192.168.0.0/24 --> any --> internet IPv4 & Internet IPv6. - if i disable the above rule and enable this one. No device on the network 192.168.0.0/24 can access the internet. Do i need to do anything else? I have Web Filtering Disabled.

 

 



This thread was automatically locked due to age.
  • 0

    Yes, the biggest entities use content delivery networks that are scattered all over the world.    This includes Sophos, which I have been told uses data centers on 3 continents.   We do not allow Facebook, but we have had the same problem with Teamviewer.   Had to create a rule to allow outgoing connections to port 5938, which we turn on and off as needed.

    When configuring country blocking exceptions, the trick to know:

    • If the specific destination is external (e.g. www.facebook.com), then the country list must be empty!
    • If the specific destination is internal (e.g. web.dmz.mycompany.com), then a country list must be specified (of which Select All is a possibility).

    I don't use the Internet objects.   I think they may represent your network interface, but I am not sure.    Use the Any destinations (Any, Any IPv4, Any IPv6) instead, as in your first example.

  • 0 in reply to DouglasFoster

    1. for country blocking we block "from" mostly. As explained by DouglasFoster ... many services use CDN around the world.

    2. destination ANY may capture traffic to DMZ or other isolated/protected networks too. We EVER use "Internet" if we mean Internet. Works great.

    ... But: Internet means "any" coming/going through an interface with default gateway configured. So the default gateway must be configured correctly.

    If it doesn't work, check firewall-live-log and rule-sorting (often we see permit rule behind reject-rule)

     


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Agreed with Dirk on 1 and 2 - I also always recommend using the "Internet IPv4" object where possible as the "Any" object also includes internal networks which can lead to confusion if Internet is all that you mean.

    Like Dirk says about logs - always start troubleshooting with #1 in Rulz (last updated 2019-04-17).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML