Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 2409 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ring Cameras & Sophos UTM Firewall

RichardHughes1

Hi,

I appear to be having an issue, where traffic relating to my Ring cameras is being blocked on my Sophos UTM Firewall. This blocked traffic is only occurring when I go to "Live View" one of the Ring cameras over the internal network, which causes the playback to quickly turn choppy and then disconnects. Using "Live View" on the cameras via an external connection, e.g. 4G does not cause this traffic to be logged.

Looking at both the Live Log for the Firewall and looking back at the Firewall Log when running a search, I'm seeing a lot of blocked traffic for "Default DROP, Secure RTCP".

 

It seems like the initial connection is accepted, where shortly after the connection is rejected. I'm having real trouble troubleshooting this as whatever I change, appears to have no effect on the traffic being blocked. As a test, I created a ANY>ANY>ANY rule on the Firewall and moved the rule to the very top. Once done, I attempted live view on one of the cameras, but the Live Log for the Firewall was still showing "Secure RTCP" packets to be dropped.

In the attached screenshot of my Firewall Log, I noticed that at the start, "Secure RTCP" packets were being accepted by Packet filter rule #41. I tried to locate this rule on the Firewall, but I'm not sure how to determine the ID# of the Firewall Rules.

I do currently have a rule setup on the Firewall with the port numbers/ranges in which Ring have documented as being required for their cameras to function through a firewall. support.ring.com/.../205385394-What-Ports-Do-I-Need-to-Open-in-My-Firewall-for-Ring-Doorbells-and-Chimes-.

 

I appreciate any advice that you can provide :)

 

Cheers,
Richard



This thread was automatically locked due to age.
  • 0

    OK, I appear to have resolved this problem. Looking further into the logs, I've noticed in the Intrusion Prevention log, that there were a lot of entries for dropped packet which were detected as UDP Flood. After disabling UDP Flood Detection, the problem disappeared immediately. I am looking at a way of resolving this without disabling UDP Flood Detection.

    The Firewall log is although still showing a lot of dropped packets for "Secure RTCP", even when having UDP Flood Detection disabled. The only difference now is that playback during live view of the Ring cameras now works whilst connected to the same Sophos AP as the Ring cameras.

  • 0 in reply to RichardHughes1

    Hi Richard,

    Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.  Please post one line corresponding to those red ones above.

    Also, as you go forward, you will want to be aware of the Rulz (last updated 2019-04-17), especially up through #5.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for your reply. I've pasted a section of the Firewall log during that period below.

    2020:01:12-05:02:31 sophos ulogd[17086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3493" app="1171" srcmac="28:52:61:f1:40:1a" dstmac="6c:41:6a:72:55:8d" srcip="63.34.58.17" dstip="WAN_IP" proto="17" length="62" tos="0x00" prec="0x00" ttl="26" srcport="32365" dstport="62645"
    2020:01:12-05:02:31 sophos ulogd[17086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3493" app="1171" srcmac="28:52:61:f1:40:1a" dstmac="6c:41:6a:72:55:8d" srcip="63.34.58.17" dstip="WAN_IP" proto="17" length="62" tos="0x00" prec="0x00" ttl="26" srcport="32365" dstport="62645"
    2020:01:12-05:02:31 sophos ulogd[17086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3493" app="1171" srcmac="28:52:61:f1:40:1a" dstmac="6c:41:6a:72:55:8d" srcip="63.34.58.17" dstip="WAN_IP" proto="17" length="62" tos="0x00" prec="0x00" ttl="26" srcport="32365" dstport="62645"
    2020:01:12-05:02:31 sophos ulogd[17086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3493" app="1171" srcmac="28:52:61:f1:40:1a" dstmac="6c:41:6a:72:55:8d" srcip="63.34.58.17" dstip="WAN_IP" proto="17" length="62" tos="0x00" prec="0x00" ttl="26" srcport="32365" dstport="62645" 
    2020:01:12-05:02:32 sophos ulogd[17086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3493" app="1171" srcmac="28:52:61:f1:40:1a" dstmac="6c:41:6a:72:55:8d" srcip="63.34.58.17" dstip="WAN_IP" proto="17" length="94" tos="0x00" prec="0x00" ttl="37" srcport="46951" dstport="59439"
    2020:01:12-05:02:33 sophos ulogd[17086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3493" app="1171" srcmac="28:52:61:f1:40:1a" dstmac="6c:41:6a:72:55:8d" srcip="63.34.58.17" dstip="WAN_IP" proto="17" length="94" tos="0x00" prec="0x00" ttl="37" srcport="46951" dstport="59439"
    2020:01:12-05:02:34 sophos ulogd[17086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3493" app="1171" srcmac="28:52:61:f1:40:1a" dstmac="6c:41:6a:72:55:8d" srcip="63.34.58.17" dstip="WAN_IP" proto="17" length="94" tos="0x00" prec="0x00" ttl="37" srcport="46951" dstport="59439"
    2020:01:12-05:02:35 sophos ulogd[17086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3493" app="1171" srcmac="28:52:61:f1:40:1a" dstmac="6c:41:6a:72:55:8d" srcip="63.34.58.17" dstip="WAN_IP" proto="17" length="94" tos="0x00" prec="0x00" ttl="37" srcport="46951" dstport="59439"
    2020:01:12-05:02:37 sophos ulogd[17086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3493" app="1171" srcmac="28:52:61:f1:40:1a" dstmac="6c:41:6a:72:55:8d" srcip="63.34.58.17" dstip="WAN_IP" proto="17" length="94" tos="0x00" prec="0x00" ttl="37" srcport="46951" dstport="59439"
    2020:01:12-05:02:40 sophos ulogd[17086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3493" app="1171" srcmac="28:52:61:f1:40:1a" dstmac="6c:41:6a:72:55:8d" srcip="63.34.58.17" dstip="WAN_IP" proto="17" length="94" tos="0x00" prec="0x00" ttl="26" srcport="32365" dstport="62645"
    2020:01:12-05:02:40 sophos ulogd[17086]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" mark="0x3493" app="1171" srcmac="28:52:61:f1:40:1a" dstmac="6c:41:6a:72:55:8d" srcip="63.34.58.17" dstip="WAN_IP" proto="17" length="94" tos="0x00" prec="0x00" ttl="37" srcport="46951" dstport="59439"

     

    Cheers,
    Richard

  • 0 in reply to RichardHughes1

    Richard, please show a picture of the Edit of the Firewall rule that you believe should have allowed the first four packets in that log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML