Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 983 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Issues

Peter Evans

Fairly new to Sophos UTM. Having some issues with Firewall Rules.

My setup is as follows

WAN --> Sophos UTM --> Unifi USG (NAT Disabled) --> Subnet1, Subnet2, etc.

 

At the moment I'm having 2 issues. I'm based in the UK. If i enable country blocking for Asia, Aftrica, middle east. Facebook stops working. Checking the logs My device is trying to connect to a facebook server in South Africa?? WTF > There must be closer servers i.e. the ones in Ireland. - If I unblock South Africa it all works. - I've tried to use my ISP DNS as well as Cloudflare and Google. All the same issues.

 

Second Problem which has been driving me nuts. 

I have a firewall rules - any --> any --> any - obviously only used for troubleshooting. With this rule enabled everything works as it should

I have another rule network 192.168.0.0/24 --> any --> internet IPv4 & Internet IPv6. - if i disable the above rule and enable this one. No device on the network 192.168.0.0/24 can access the internet. Do i need to do anything else? I have Web Filtering Disabled.

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Yes, the biggest entities use content delivery networks that are scattered all over the world.    This includes Sophos, which I have been told uses data centers on 3 continents.   We do not allow Facebook, but we have had the same problem with Teamviewer.   Had to create a rule to allow outgoing connections to port 5938, which we turn on and off as needed.

    When configuring country blocking exceptions, the trick to know:

    • If the specific destination is external (e.g. www.facebook.com), then the country list must be empty!
    • If the specific destination is internal (e.g. web.dmz.mycompany.com), then a country list must be specified (of which Select All is a possibility).

    I don't use the Internet objects.   I think they may represent your network interface, but I am not sure.    Use the Any destinations (Any, Any IPv4, Any IPv6) instead, as in your first example.

  • 0 in reply to DouglasFoster

    1. for country blocking we block "from" mostly. As explained by DouglasFoster ... many services use CDN around the world.

    2. destination ANY may capture traffic to DMZ or other isolated/protected networks too. We EVER use "Internet" if we mean Internet. Works great.

    ... But: Internet means "any" coming/going through an interface with default gateway configured. So the default gateway must be configured correctly.

    If it doesn't work, check firewall-live-log and rule-sorting (often we see permit rule behind reject-rule)

     

Reply
  • 0 in reply to DouglasFoster

    1. for country blocking we block "from" mostly. As explained by DouglasFoster ... many services use CDN around the world.

    2. destination ANY may capture traffic to DMZ or other isolated/protected networks too. We EVER use "Internet" if we mean Internet. Works great.

    ... But: Internet means "any" coming/going through an interface with default gateway configured. So the default gateway must be configured correctly.

    If it doesn't work, check firewall-live-log and rule-sorting (often we see permit rule behind reject-rule)

     

Children