Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 7978 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Odd DMZ behavior?

iTechThingsSeriously

I setup a DMZ on a separate physical interface on a SG330; however, I can still ping hosts on all our internal networks. The only way for me to get this to stop is to disable both "Global ICMP Settings" and "Traceroute Settings" under the Network Protection > Firewall > ICMP. Disabling only one option still allowed PING to traverse the interfaces. It bugs me that this is the case. Is this normal? 

Also, I attempted to create a firewall rule like DMZ Network> PING, PING6, Any, All Protocols > Internal Interface Network: Deny which had no affect whatsoever....is that normal? I thought having this rule would let me block pinging, etc. between the two networks and leave the others alone, but nope.

Also, maybe my lack of experience, but our traffic flows similar to this...

Internet > Layer 3 switch > firewall > same layer 3 switch...

I wouldn't think that setup would matter since all traffic on the DMZ must pass through it's default gateway which is the SG330. The default gateway for all the other subnets/vlans is the layer 3 switch. 

Anyone know why the SG doesn't block ping between interfaces when they are separate networks? Have I totally missed the point on how to configure a DMZ with the SG?



This thread was automatically locked due to age.
Parents
  • 0

    Please insert a screencap of the 'ICMP' tab.  Also, say whether your layer 3 switch is routing between "Internal (Network)" and "DMZ (Network)."

    The invisible firewall rule created by allowing pings on the 'ICMP' tab comes before any manual rule - see #2 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I've since played around some more, and I can get the ping to stop by un-checking the two highlighted settings which is to be expected, I assume...however, this isn't optimal as it prevents troubleshooting and pinging things from the internal LAN. 

    The layer 3 switch is not routing between the internal network and the DMZ network. Even with those two settings checked I cannot ping anything inside the DMZ from the Internal network. 

    Also, to be clear, I have to remove both those check boxes for ping to stop working from DMZ to Internal. Removing one, either one, and ping continues to function from DMZ to Internal. 

    This seems odd to me. 

Reply
  • 0 in reply to BAlfson

    I've since played around some more, and I can get the ping to stop by un-checking the two highlighted settings which is to be expected, I assume...however, this isn't optimal as it prevents troubleshooting and pinging things from the internal LAN. 

    The layer 3 switch is not routing between the internal network and the DMZ network. Even with those two settings checked I cannot ping anything inside the DMZ from the Internal network. 

    Also, to be clear, I have to remove both those check boxes for ping to stop working from DMZ to Internal. Removing one, either one, and ping continues to function from DMZ to Internal. 

    This seems odd to me. 

Children
  • +1 in reply to iTechThingsSeriously

    In your situation, the correct solution is to uncheck those boxes as you have done and then create your own rules like 'Internal (Network) -> ping -> DMZ (Network) : Allow'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML