Start with a hostname that is a unique (not used for anything else) FQDN resolvable in public DNS to your public IP.
Always check the logs! For example, when you disabled Intrusion Prevention, you only disabled Snort – you did not disable the items on the other tabs! (Many people are tripped up by UDP Flood Protection which is logged in the Intrusion Prevention log file. This is often the cause of bad voice-quality with VoIP and unreliable IPsec connections that don’t terminate on the UTM.)
Whenever something seems strange, always check the Intrusion Prevention, Application Control and Firewall logs. If ‘Advanced Threat Protection’ on the Dashboard is not zero, check that log also. Hint: If this didn’t help, you likely have a routing problem. In that case, check #3 through #5.
Do you wonder why traffic is allowed through even when you have an explicit firewall rule blocking it? In general, a packet arriving at an interface is handled only by one of the below, in order (see images at the bottom):
- the connection tracker (conntrack) first
- then Country Blocking
- then the ‘ICMP’ tab in ‘Firewall’: Traceroute and Ping are regulated on the ‘ICMP’ tab. The “All” service only includes TCP and UDP – none of the other IP protocols are included.
- then Intrusion Prevention (see the images to see that IPS actually can happen in several places but happens only once!)
- then DNATs*
- then VPNs
- then Proxies (except the SMTP Proxy in Transparent mode which captures traffic forwarded by a DNAT)
- then manual Routes and manual Firewall rules, which are considered only if the automatic Routes and rules coming before hadn’t already handled the traffic
- and, finally, Application Control.* A “blackhole DNAT” should be to an IPv4 address in 240.0.0.0/4 or to one in 100::/64 for IPv6.
Never create a Host/Network definition bound to a specific interface. Always leave all definitions with ‘Interface: <<Any>>’.
The only known exception began with V9.4 and the introduction of STAS (Sophos Transparent Authentication Suite). The Host definition of the AD domain controller must be bound to to the interface for the subnet containing the DC. Note that you will need an additional Host definition with ‘Interface: <<Any>>’ if you want to make a firewall rule for the DC.
Other solutions to routing problems (not seeing any blocks, but not getting responses) include:
- Devices in the LAN must have the IP of “Internal (Address)” as their default gateway.
- Never connect two NICs into the same, physical Ethernet segment unless bridging or creating a LAG.
- When adding an interface, don’t forget the Masquerading rule for the new network behind the UTM.
When creating DNATs for traffic arriving from the internet, in “Going to:” always use the “(Address)” object created by WebAdmin when the interface or the Additional Address was defined. For any Traffic Selector to apply to packets with a destination of an IP on the UTM, the corresponding “(Address)” object must be used. Under the covers, it’s iptables that does the work. Using “Any” or a normal Network/Host definition causes the Traffic Selector to apply to packets in the FORWARD chain. The “(Address)” objects are bound to the interface on which they’re defined, so that causes the Selector to apply to the INPUT chain.
In NAT rules, it is a good habit to leave a field blank when not making a change. In the case of a service with a single destination port, this makes no difference. In the case of a service with multiple ports, or a Group, repeating the service makes the NAT rule ineffective.
There are only six reasons to sync users from AD to the ASG/UTM:
- The user is to be added to ‘Allowed Administrators’ or given a ‘Role’ on the ‘Access Control’ tab in ‘WebAdmin Settings’.
- The user needs access to the User Portal.
- The user should be able to log on to a Remote Access VPN that uses certificates to authenticate the user.
- Email Protection is enabled and the user should receive Quarantine Reports and be able to manage personal black/whitelists and/or use Email Encryption/Signing.
- You want to do Reporting by Department for Web Protection.
- You want to use the Authentication Agent to populate “username (User Network)” objects.
There’s no other reason to sync users to WebAdmin – certainly not for AD-SSO.
If you have slow throughput and/or ifconfig shows errors, collisions, etc., try these steps, in sequence, until your problem goes away:
- If you have a Realtek, Marvel or 3Com NIC, skip to the last step.
- Confirm that ‘Interfaces & Routing >> Quality of Service (QoS)’ is not limiting bandwidth. Also confirm that ‘TCP window scaling’ is enabled on the ‘Advanced’ tab of ‘Network Protection >> Firewall’.
- Edit the interface definition, and, in the ‘Advanced’ section, set the MTU to 1350. If that works, check with your ISP to help find the largest setting that works. If this doesn’t work, set the MTU back to its original value.
- Change the Ethernet cable.
- If connected to a switch, change the switch port.
- If connected to a router or modem, change that device.
- On the ‘Hardware’ tab in ‘Interfaces & Routing >> Interfaces’, experiment with different settings of fixed speeds and duplex. Make the same settings on the router/switch/modem to which the interface connects. Before testing the change, reboot both devices to force them to renegotiate their connection.
- Move the interface definition to another eth on the UTM or replace the NIC with an identical one. If you have a Realtek, Marvel or 3Com NIC, you should replace the NIC with an Intel (NOT an Intel 82574 based NIC due to bugs from Intel that aren’t fixed – the 210 series is good). Note that if you don’t already have an Intel NIC, you will need to reload from ISO in order to install the driver for the new NIC
Before changing the hardware the UTM runs on, go to ‘Interfaces & Routing >> Interfaces’ and, on the ‘Hardware’ tab, edit each NIC to have a ‘Virtual MAC Address’ that copies the existing MAC. This will cause your new NICs to be recognized immediately after the configuration is restored. The alternative is to make certain that each router/switch connected to the various NICs has cleared its ARP table:
- When changing UTM hardware or NICs, Always power-cycle any cable modems or other devices that lock MAC addresses.
- Some ISPs (FiOS) require calling ISP to break the lease, unless one does it manually (from the UTM console) when switching UTM hardware
When a Web Filtering Filter Action changes based on Policies with Time Events, established connections like YouTube will continue to function and will not be blocked. Use Sheldon’s Trick: create a firewall Block rule for a one-minute Time Event after your policy allowing traffic is deactivated by a Time Event and one blocking traffic then handles the requests.