All users have the base policy applied - what does the policy non-compliance warning mean - the users cannot change anything as this has only occurred within an hour of putting the sophos onto their machine and they are not logged in.
↧
[2.0][OPEN] Policy non-compliance warning
↧
site2site VPN hinter NAT Routern
Hallo zusammen,
ich möchte gerne zwei Netzwerke über VPN mit dyndns Adressen verbinden. Der Aufbau ist der folgende:
UTM9 --- Fritzbox ---Internet ---- Vodafone Easy Box ---- UTM9
Auf der FritzBox habe ich die UTM9 als exposed Host eingetragen, also sollte alles weitergeleitet werden. Auf der EasyBox wird TCP Port 1723, 80, 443, 500 und 4500 weitergeleitet auf die UTM9. Das sollte doch so alles reichen, oder? Leider baut sich der Tunnel nicht auf. Kann mir vielleicht jemand einen Tip geben woran das ganze scheitern könnte?
Viele Grüße
Frank
ich möchte gerne zwei Netzwerke über VPN mit dyndns Adressen verbinden. Der Aufbau ist der folgende:
UTM9 --- Fritzbox ---Internet ---- Vodafone Easy Box ---- UTM9
Auf der FritzBox habe ich die UTM9 als exposed Host eingetragen, also sollte alles weitergeleitet werden. Auf der EasyBox wird TCP Port 1723, 80, 443, 500 und 4500 weitergeleitet auf die UTM9. Das sollte doch so alles reichen, oder? Leider baut sich der Tunnel nicht auf. Kann mir vielleicht jemand einen Tip geben woran das ganze scheitern könnte?
Viele Grüße
Frank
↧
↧
VPN to 2 networks with same internal IP
Hello,
I want to build a VPN connection to 2 of my friends.
Unfortunately, they both use 192.168.1.0 for their internal network and they don't want to change it.
How can I get a connection to both of them?
Can I setup something like a "virtual network" on my side?
E.g.
My internal network: 192.168.50.0
192.168.55.0 <---> Tunnel to Friend A
192.168.60.0 <---> Tunnel to Friend B
So ping to 192.168.55.22 will ping 192.168.1.22 at friend A,
ping to 192.168.60.124 will ping 192.168.1.124 at friend B.
I want to build a VPN connection to 2 of my friends.
Unfortunately, they both use 192.168.1.0 for their internal network and they don't want to change it.
How can I get a connection to both of them?
Can I setup something like a "virtual network" on my side?
E.g.
My internal network: 192.168.50.0
192.168.55.0 <---> Tunnel to Friend A
192.168.60.0 <---> Tunnel to Friend B
So ping to 192.168.55.22 will ping 192.168.1.22 at friend A,
ping to 192.168.60.124 will ping 192.168.1.124 at friend B.
↧
Traffic balancing with Multi-VPN-Tunnel not working correctly
Hey guys,
I've just set up a "working" Multi-Tunnel VPN connection, but the balancing is weired.
Setup:
Site 1:
virtual UTM 9.1
Uplink1.1: 100Mbit down / 6Mbit up
Uplink1.2: 100Mbit down / 6Mbit up
Site 2:
virtual UTM 9.1
Uplink2.1: 25Mbit down / 5Mbit up
Uplink2.2: 25Mbit down / 5Mbit up
If I either connect Uplink1.1 <-> Uplink2.1 or Uplink1.2 <-> Uplink2.2 via IPSec-VPN, i get the maximum possible bandwith with NetIO
Now i've connected
Uplink1.1 <-> Uplink2.1
Uplink1.2 <-> Uplink2.2
via "Bind Tunnel to Local Interface" on both UTMs. Tunnels are up and running. Then I've set up MultiPath Rules on both UTMs so split "by Connection" over Uplinkinterfaces. This is working, since i can see ESP Pakets on all 4 Interfaces with tcptump. But NetIO shows me something very disappointing (tested at least 20 times, all similar):
Although it should be somethink like 1078.62 KByte/s Tx, 914.66 KByte/s Rx.
Even the UTM-Dashboard shows that the Data is split up through both Interfaces...
Qos = off
No Traffic-Selectors activated
No traffic on Uplinks
I've also testes Samba File Transfers with the same effect.
Am I missing something or have i done something wrong?
I've just set up a "working" Multi-Tunnel VPN connection, but the balancing is weired.
Setup:
Site 1:
virtual UTM 9.1
Uplink1.1: 100Mbit down / 6Mbit up
Uplink1.2: 100Mbit down / 6Mbit up
Site 2:
virtual UTM 9.1
Uplink2.1: 25Mbit down / 5Mbit up
Uplink2.2: 25Mbit down / 5Mbit up
If I either connect Uplink1.1 <-> Uplink2.1 or Uplink1.2 <-> Uplink2.2 via IPSec-VPN, i get the maximum possible bandwith with NetIO
Code:
TCP connection established.
Packet size 1k bytes: 612.07 KByte/s Tx, 375.33 KByte/s Rx.
Packet size 2k bytes: 626.75 KByte/s Tx, 382.09 KByte/s Rx.
Packet size 4k bytes: 631.49 KByte/s Tx, 394.23 KByte/s Rx.
Packet size 8k bytes: 621.46 KByte/s Tx, 395.23 KByte/s Rx.
Packet size 16k bytes: 637.13 KByte/s Tx, 394.85 KByte/s Rx.
Packet size 32k bytes: 605.03 KByte/s Tx, 393.22 KByte/s Rx.
Done.Uplink1.1 <-> Uplink2.1
Uplink1.2 <-> Uplink2.2
via "Bind Tunnel to Local Interface" on both UTMs. Tunnels are up and running. Then I've set up MultiPath Rules on both UTMs so split "by Connection" over Uplinkinterfaces. This is working, since i can see ESP Pakets on all 4 Interfaces with tcptump. But NetIO shows me something very disappointing (tested at least 20 times, all similar):
Code:
TCP connection established.
Packet size 1k bytes: 347.49 KByte/s Tx, 347.51 KByte/s Rx.
Packet size 2k bytes: 339.28 KByte/s Tx, 411.48 KByte/s Rx.
Packet size 4k bytes: 324.03 KByte/s Tx, 423.60 KByte/s Rx.
Packet size 8k bytes: 407.81 KByte/s Tx, 444.98 KByte/s Rx.
Packet size 16k bytes: 324.88 KByte/s Tx, 398.78 KByte/s Rx.
Packet size 32k bytes: 478.62 KByte/s Tx, 414.66 KByte/s Rx.
Done.Even the UTM-Dashboard shows that the Data is split up through both Interfaces...
Qos = off
No Traffic-Selectors activated
No traffic on Uplinks
I've also testes Samba File Transfers with the same effect.
Am I missing something or have i done something wrong?
↧
Better download areas
the astaro servers are getting hammered and i have a client who's machine has crashed., does anyone have a copy of 9.0 or 9.1 stashed on a link that gets better than 60 kilobits a sec?
↧
↧
UTM 9.1 gibt's Probleme mit dem VPN???
Hallo zusammen,
Nachdem ich vorgestern die ASG auf UTM 9.1 geupdated habe, können meine User über die VPN-Verbindung weder auf Lotus Notes zugreifen, noch auf eine RDP-Verbindung zu einem Server im Netzwerk zugreifen.
Vor dem Update funktionierte das ohne Probleme...
Das Anpingen der Systeme funktioniert tadellos, sowohl mit der IP-Adresse, als auch mit dem Namen.
Kennt jemand das Problem und weiß eine Lösung?
Viele Grüße
Christian
Nachdem ich vorgestern die ASG auf UTM 9.1 geupdated habe, können meine User über die VPN-Verbindung weder auf Lotus Notes zugreifen, noch auf eine RDP-Verbindung zu einem Server im Netzwerk zugreifen.
Vor dem Update funktionierte das ohne Probleme...
Das Anpingen der Systeme funktioniert tadellos, sowohl mit der IP-Adresse, als auch mit dem Namen.
Kennt jemand das Problem und weiß eine Lösung?
Viele Grüße
Christian
↧
Remote Access auf gleiches Subnetz
Hallo ins Forum!
Ich habe folgendes Problem. Ich will per VPN-Client von einem bestimmten PC in einem entfernten Netz auf einen PC in meinem eigenen Netz zugreifen. Das Problem ist nur, dass auf beiden Seiten die gleichen Subnetze verwendet werden. Auf der Gegenseite habe ich keine Astaro Firewall. Kann ich das überhaupt über den VPN-Client realisieren? Ich habe hier schon ein paar Einträge zu dem Thema gefunden, aber nur wenn auf beiden Seiten eine Astaro vorhanden war und eine Site-2-Site-Verbindung aufgebaut wurde.
Gruß
Ich habe folgendes Problem. Ich will per VPN-Client von einem bestimmten PC in einem entfernten Netz auf einen PC in meinem eigenen Netz zugreifen. Das Problem ist nur, dass auf beiden Seiten die gleichen Subnetze verwendet werden. Auf der Gegenseite habe ich keine Astaro Firewall. Kann ich das überhaupt über den VPN-Client realisieren? Ich habe hier schon ein paar Einträge zu dem Thema gefunden, aber nur wenn auf beiden Seiten eine Astaro vorhanden war und eine Site-2-Site-Verbindung aufgebaut wurde.
Gruß
↧
IPSEC VPN down seit Update auf 9.1
Wir haben heute Nacht auf verschiedenen Hardware-Devices das automatische Update auf 9.100-16 durchgeführt.
Sämtliche Site-to-Site VPN IPsec Verbindungen sind down und konnten seit diesem Update nicht mehr aufgebaut werden.
In den Log-Files sehe ich:
#964: cannot route -- route already in use for
Probable authentication failure
Wir haben komplett neue Verbindungen erstellt, kein Erfolg. Verschiedene Varianten (Gateway Typ, Authentifizierung, etc.) Wir bekommen keine IPsec Verbindunge mehr zwischen den Standorten und baugleichen Sophos Devices mehr hin.
Wir haben diese nun deaktiviert und Site-to-Site SSL Verbindungen aufgebaut. Diese konnten immerhin fehlerfrei aufgebaut werden.
Sämtliche Site-to-Site VPN IPsec Verbindungen sind down und konnten seit diesem Update nicht mehr aufgebaut werden.
In den Log-Files sehe ich:
#964: cannot route -- route already in use for
Probable authentication failure
Wir haben komplett neue Verbindungen erstellt, kein Erfolg. Verschiedene Varianten (Gateway Typ, Authentifizierung, etc.) Wir bekommen keine IPsec Verbindunge mehr zwischen den Standorten und baugleichen Sophos Devices mehr hin.
Wir haben diese nun deaktiviert und Site-to-Site SSL Verbindungen aufgebaut. Diese konnten immerhin fehlerfrei aufgebaut werden.
↧
Inbound mail not being delivered since update to 9.100-16
Hi,
I upgraded from 9.006005 to 9.100-16 the other day and since the upgrade no inbound mail has been delivered to my exchange server. If I look at the SMTP spool in mail manager I can see all the inbound email marked as "Waiting"
![]()
Looking at the SMTP Proxy log i can see the following
and if I select a couple of emails and click retry I also see
in the above logs I have replaced internal email addresses with ***@***.com and external addresses with yyy@yyy.com.
All internal email is working as well as sending email outbound, its just inbound that is the issue.
I'm not sure what to do to fix this?
Regards
Karl
I upgraded from 9.006005 to 9.100-16 the other day and since the upgrade no inbound mail has been delivered to my exchange server. If I look at the SMTP spool in mail manager I can see all the inbound email marked as "Waiting"
Looking at the SMTP Proxy log i can see the following
Quote:
|
2013:05:16-08:47:00 Firewall exim-out[2563]: 2013-05-16 08:47:00 1UcUEQ-0001k3-7N == ***@***.com R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host 2013:05:16-08:47:00 Firewall exim-out[2565]: 2013-05-16 08:47:00 1Uce4k-0006su-28 == ***@***.com R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host 2013:05:16-08:47:00 Firewall exim-out[2575]: 2013-05-16 08:47:00 1Uca0y-0005XD-9s == ***@***.com R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host 2013:05:16-08:47:00 Firewall exim-out[2577]: 2013-05-16 08:47:00 1UcgtQ-0005xW-6d == ***@***.com R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host 2013:05:16-08:47:00 Firewall exim-out[2579]: 2013-05-16 08:47:00 1UcGht-00015U-0A == ***@***.com R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host 2013:05:16-08:47:00 Firewall exim-out[2581]: 2013-05-16 08:47:00 1UcZna-00053S-6T == ***@***.com R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host 2013:05:16-08:47:00 Firewall exim-out[2583]: 2013-05-16 08:47:00 1UceZY-0008BN-CM == ***@***.com R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host 2013:05:16-08:47:00 Firewall exim-out[2585]: 2013-05-16 08:47:00 1UcXEi-0007wj-97 == ***@***.com R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host 2013:05:16-08:47:00 Firewall exim-out[2587]: 2013-05-16 08:47:00 1UcCtk-0003mw-G4 == ***@***.com R=static_route_hostlist T=static_smtp defer (-53): retry time not reached for any host |
Quote:
|
2013:05:16-08:47:50 Firewall exim-out[2657]: 2013-05-16 08:47:50 1UcoAi-0003Jg-B0 Remote host 172.16.1.2 [172.16.1.2] closed connection in response to MAIL FROM:<yyy@yyy.com> SIZE=29750 2013:05:16-08:47:50 Firewall exim-out[2656]: 2013-05-16 08:47:50 1UcoAi-0003Jg-B0 == ***@***.com R=static_route_hostlist T=static_smtp defer (-18): Remote host 172.16.1.2 [172.16.1.2] closed connection in response to MAIL FROM:<yyy@yyy.com> SIZE=29750 2013:05:16-08:47:50 Firewall exim-out[2659]: 2013-05-16 08:47:50 1UckAy-0008RQ-5Z Remote host 172.16.1.2 [172.16.1.2] closed connection in response to MAIL FROM:<yyy@yyy.com> SIZE=12437 2013:05:16-08:47:50 Firewall exim-out[2658]: 2013-05-16 08:47:50 1UckAy-0008RQ-5Z == ***@***.com R=static_route_hostlist T=static_smtp defer (-18): Remote host 172.16.1.2 [172.16.1.2] closed connection in response to MAIL FROM:<yyy@yyy.com> SIZE=12437 2013:05:16-08:47:50 Firewall exim-out[2661]: 2013-05-16 08:47:50 1Uchw6-00020O-Gu Remote host 172.16.1.2 [172.16.1.2] closed connection in response to MAIL FROM:<yyy@yyy.com> SIZE=3147 2013:05:16-08:47:50 Firewall exim-out[2660]: 2013-05-16 08:47:50 1Uchw6-00020O-Gu == ***@***.com R=static_route_hostlist T=static_smtp defer (-18): Remote host 172.16.1.2 [172.16.1.2] closed connection in response to MAIL FROM:<yyy@yyy.com> SIZE=3147 2013:05:16-08:47:51 Firewall exim-out[2663]: 2013-05-16 08:47:51 1Ucicg-00043v-4W Remote host 172.16.1.2 [172.16.1.2] closed connection in response to MAIL FROM:<yyy@yyy.com> SIZE=73288 2013:05:16-08:47:51 Firewall exim-out[2662]: 2013-05-16 08:47:51 1Ucicg-00043v-4W == ***@***.com R=static_route_hostlist T=static_smtp defer (-18): Remote host 172.16.1.2 [172.16.1.2] closed connection in response to MAIL FROM:<yyy@yyy.com> SIZE=73288 2013:05:16-08:47:51 Firewall exim-out[2664]: 2013-05-16 08:47:51 1UcrIk-0004FZ-DO Remote host 172.16.1.2 [172.16.1.2] closed connection in response to MAIL FROM:<yyy@yyy.com> SIZE=26987 2013:05:16-08:47:51 Firewall exim-out[2655]: 2013-05-16 08:47:51 1UcrIk-0004FZ-DO == ***@***.com R=static_route_hostlist T=static_smtp defer (-18): Remote host 172.16.1.2 [172.16.1.2] closed connection in response to MAIL FROM:<yyy@yyy.com> SIZE=26987 |
All internal email is working as well as sending email outbound, its just inbound that is the issue.
I'm not sure what to do to fix this?
Regards
Karl
↧
↧
Locked out?
Feel free to call me an idiot, but I'm in a Catch 22 & don't have the skills to get out
I had some issues since the recent UTM update, so decided to restore; without realising 2 important things.
1. Restore is settings, not OS version, uselessly; as I have had nothing but trouble since the update,
& more importantly.
2. I'm now locked out. It will not recognise any of the admin login info, either the current or that from the restore date. I know all the log/pass combinations back to inception, none work.
What next?
Trash the entire machine & start from scratch?
The machine is headless. Is there a way in if I hang a screen off it?
I'm on the Home/Freeware version & my IT knowledge isn't up to much compared to the average for a forum like this. My nix skills are almost zero.
I really don't want to spend another week setting this all back up again.
At the moment I have basic functionality - but no POP3, which was the issue I was trying to roll back to fix - the proxy failed after the update, for some reason it isn't handling the SSL correctly; now I can't get in to switch it off again.
If at all possible, I'd like to get back to the last version, too, the recent x.1 [I can't access the numbers to check] has been troublesome & I'd ideally like to be able to get back to the x.09
Thanks for any help you can offer.
I had some issues since the recent UTM update, so decided to restore; without realising 2 important things.
1. Restore is settings, not OS version, uselessly; as I have had nothing but trouble since the update,
& more importantly.
2. I'm now locked out. It will not recognise any of the admin login info, either the current or that from the restore date. I know all the log/pass combinations back to inception, none work.
What next?
Trash the entire machine & start from scratch?
The machine is headless. Is there a way in if I hang a screen off it?
I'm on the Home/Freeware version & my IT knowledge isn't up to much compared to the average for a forum like this. My nix skills are almost zero.
I really don't want to spend another week setting this all back up again.
At the moment I have basic functionality - but no POP3, which was the issue I was trying to roll back to fix - the proxy failed after the update, for some reason it isn't handling the SSL correctly; now I can't get in to switch it off again.
If at all possible, I'd like to get back to the last version, too, the recent x.1 [I can't access the numbers to check] has been troublesome & I'd ideally like to be able to get back to the x.09
Thanks for any help you can offer.
↧
DHCP Relay Question
Hello,
I'm new to the forum and hope I'm not duplicating an existing thread.
I have a feeling I know the answer to this, but here goes:
Does activating the DHCP relay affect all wireless networks or can some use the internal DHCP mechanism and others use the relay?
Thanks,
Steve
I'm new to the forum and hope I'm not duplicating an existing thread.
I have a feeling I know the answer to this, but here goes:
Does activating the DHCP relay affect all wireless networks or can some use the internal DHCP mechanism and others use the relay?
Thanks,
Steve
↧
I do not receive notification mails
Hi,
I get the following smtp.logs:
R=dnslookup defer (-1): lowest numbered MX record points to local host
retry timeout exceeded
SMTP error from remote mail server after initial connection: host deadmail.fw-notify.net [93.189.156.232]: 421 Too many concurrent SMTP connections; please try again later.
do-not-reply@fw-notify.net R=dnslookup T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host deadmail.fw-notify.net [93.189.156.232]: 421 Too many concurrent SMTP connections.
I get the following smtp.logs:
R=dnslookup defer (-1): lowest numbered MX record points to local host
retry timeout exceeded
SMTP error from remote mail server after initial connection: host deadmail.fw-notify.net [93.189.156.232]: 421 Too many concurrent SMTP connections; please try again later.
do-not-reply@fw-notify.net R=dnslookup T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host deadmail.fw-notify.net [93.189.156.232]: 421 Too many concurrent SMTP connections.
↧
Web Protection
HI
i am running Sophos UTM home edition in an active directory
How can i block few websites for a user or group
i am able to block for all users but not for single user or group.
Running in transparent mode.
Thanks & Regards
Tony
i am running Sophos UTM home edition in an active directory
How can i block few websites for a user or group
i am able to block for all users but not for single user or group.
Running in transparent mode.
Thanks & Regards
Tony
↧
↧
9.1 Update Woes
Also running into issues with the 9.1 update.. end-user SSl VPN automatic firewall rules stopped working at least partially.. in this instance DNS port 53 was being blocked.. had to manually create rules to and from Pool and Internal network and disable\reenable VPN for name resolution to work again... accessing servers by IP continued to work fine.
↧
Upgrade to 9.100-16 some features not working
Hi all,
2 days ago we updated our UTM 220 from 9.006(the last 9.0 release) to 9.100-16 version. After reboot, this happen:
1. POP3 Proxy is not working anymore.
2. many confd.plx <defunct> process
3. Hardware Reporting is empty for 1 hours
4. No data is available for this report when Management is clicked
So after one day, I decided to reboot the UTM. It worked for 2 hours then I was even able to reach it by Webadmin interface.
Today, same thing. After I disabled POP3 proxy, UTM is working but the other points(2,3,4) are still there.
Can you help us?
:confused::confused::confused
Thank you.
Luciano
2 days ago we updated our UTM 220 from 9.006(the last 9.0 release) to 9.100-16 version. After reboot, this happen:
1. POP3 Proxy is not working anymore.
2. many confd.plx <defunct> process
3. Hardware Reporting is empty for 1 hours
4. No data is available for this report when Management is clicked
So after one day, I decided to reboot the UTM. It worked for 2 hours then I was even able to reach it by Webadmin interface.
Today, same thing. After I disabled POP3 proxy, UTM is working but the other points(2,3,4) are still there.
Can you help us?
:confused::confused::confused
Thank you.
Luciano
↧
9.1 HA Stops Working on VMware ESXi
This thread references the config (basically disabling the HA virtual MAC and the VM configure of the virtual interfaces i.e. ethernet.ignoreMACAddressConflict = "TRUE")
http://www.astaro.org/gateway-produc...ha-vmware.html
This worked great up to 9.1. In 9.0x the Master node used it's own MAC address assigned to the virtual adapter for the IP address. When the device would failover to the secondary node, the secondary would use its own MAC and send a gratuitous arp to update the ARP/CAM table on devices.
In 9.1 it appears that 1 mac address is moved between the active and passive node. This would seem to indicate a virtual mac. I have verified that the virtual mac isn't configured for use via the CC interface. It actually appears to be the MAC address is selected from the 1st master node and moved to the secondary during failover. The end result is that vmhosts on the secondary node can't reach the the firewall because the ESXi virtual switch thinks the MAC address lives on a VM on that hypervisor.
Maybe this was done by design, but I don't see HA modifications mentioned in the release notes.
I had to rollback to 9.006-5 to recover.
Thanks,
Jeff
http://www.astaro.org/gateway-produc...ha-vmware.html
This worked great up to 9.1. In 9.0x the Master node used it's own MAC address assigned to the virtual adapter for the IP address. When the device would failover to the secondary node, the secondary would use its own MAC and send a gratuitous arp to update the ARP/CAM table on devices.
In 9.1 it appears that 1 mac address is moved between the active and passive node. This would seem to indicate a virtual mac. I have verified that the virtual mac isn't configured for use via the CC interface. It actually appears to be the MAC address is selected from the 1st master node and moved to the secondary during failover. The end result is that vmhosts on the secondary node can't reach the the firewall because the ESXi virtual switch thinks the MAC address lives on a VM on that hypervisor.
Maybe this was done by design, but I don't see HA modifications mentioned in the release notes.
I had to rollback to 9.006-5 to recover.
Thanks,
Jeff
↧
Country Blocking and Exceptions - Best Practice
What's the best way to setup country blocking, now that the new Sophos v.9.1 includes "From" and "To", together with exceptions for country blocking?
How resource efficient is country blocking anyway, particularly with it's new capabilities?
Example: A small service business located in country "X". Their website is hosted offsite, but their email is hosted in house on their mail server. This small service business only sells to local clients, but would want to send and receive email and web browse across the world.
Should they configure their UTM to: Block all countries, except their local country or countries. And then configure exceptions to receive "From" traffic, allowing SMTP variants from all countries?
In addition to the practicality of it, would settings like "block all countries", From or To, burden the Sophos UTM?
Or possibly, that they might limit the burden on their Sophos UTM, maybe they should only block the countries that regularly attempt to hack past their firewall or send lots of SPAM or malware, and leave the others unblocked - though outside of email, and browsing to their websites, they wouldn't transact with them in any other way?
What's the best way to do this?
How resource efficient is country blocking anyway, particularly with it's new capabilities?
Example: A small service business located in country "X". Their website is hosted offsite, but their email is hosted in house on their mail server. This small service business only sells to local clients, but would want to send and receive email and web browse across the world.
Should they configure their UTM to: Block all countries, except their local country or countries. And then configure exceptions to receive "From" traffic, allowing SMTP variants from all countries?
In addition to the practicality of it, would settings like "block all countries", From or To, burden the Sophos UTM?
Or possibly, that they might limit the burden on their Sophos UTM, maybe they should only block the countries that regularly attempt to hack past their firewall or send lots of SPAM or malware, and leave the others unblocked - though outside of email, and browsing to their websites, they wouldn't transact with them in any other way?
What's the best way to do this?
↧
↧
Bandwidth Sharing
Hi,
I am trying to configure a Sophos UTM9 to achieve the following :
One of our customer runs a satellite system (2M down 512K up). There are 2 groups of people on this system (3-4 admins and around 10 regular users).
I want to give admins priority on the bandwidth speed (essentially because they need to run some bandwidth extensive applications sometimes).
I am trying to achieve that using QoS settings in the UTM9 (both groups are connected on different networks/interfaces), but i am not sure what is the best practice, and if it can be dynamic (if no admin is using internet then other users can share the whole feed, but when admin needs it, other users share a limited chunk of the total bandwidth)
Hope this is clear
Thanks a lot
Julien
I am trying to configure a Sophos UTM9 to achieve the following :
One of our customer runs a satellite system (2M down 512K up). There are 2 groups of people on this system (3-4 admins and around 10 regular users).
I want to give admins priority on the bandwidth speed (essentially because they need to run some bandwidth extensive applications sometimes).
I am trying to achieve that using QoS settings in the UTM9 (both groups are connected on different networks/interfaces), but i am not sure what is the best practice, and if it can be dynamic (if no admin is using internet then other users can share the whole feed, but when admin needs it, other users share a limited chunk of the total bandwidth)
Hope this is clear
Thanks a lot
Julien
↧
Additional Public IP Address / DNAT not working
Hello,
I am trying to set up a Sophos firewall. We have several public IPs and I need to set up NAT for several of our servers. For starters, I tried to set up DNAT for terminal server services into one server on our main wan public IP, and then terminal servers into another server on one of our other additional public ips. The DNAT that I set up for the server on the main WAN ip works, but the DNAT using the additional public IP is not working. Although it could be the way I have set up the NAT translation, I believe my problem is with the additional public IP address that I have set up. Any clues as to what I am doing wrong would be creately appreciated
Notes from my install:
- performed initial setup of Sophos... set LAN interface, set WAN interface
- Tested the basics. I can get out to the internet. I can get into the web console of the Sophos using the public ip of the WAN port and port 4444.
- updated firmware
- Created DNAT rule for TerminalServer 1. Set the rule to send terminal server traffic to the WAN port to the private ip of the terminal server
- tested connecting into this terminal server from the outside and it works fine
created an additional address for our second public ip by doing the following
- interfaces and routing > additional addresses > new additional address
- I set the name
- set "on interface" to the "external wan"
- I set the netmask to /29 (255.255.255.248). I believe this is correct because this is the subnet of our public ip addresses
created a dnat rule for the second terminal server
- traffic from: Any
- using service: Microsoft terminal server services (RDP)
- going to external (wan) [connectwise_public] (Address)
- destination translation: Connectwise_private (this has the internal ip of the server)
- automatic firewall rule selected
- log initial packets selected
- I tried to test from the outside, but it is not working. From the outside, I am also unable to connect to the web console of the sophos using the additional public ip and port 4444. But I can connect to the web console using the main WAN public IP. If I edit just the "going to" and point to just the external WAN address, I can RDP into the terminal server using the man WAN ip.
- I removed the dnat rule and tried a Full NAT rule. Same results.
- I read a forum post that suggest I set the netmask of the additional public ip to /32 (255.255.255.255) instead of /29. I tried this but it did not work either
- old firewall is currently in place
- Information about my Sophos:
Sophos UTM 9
Model: ASG120
Serial: A170613AD6813B7
License ID: 000000
Subscriptions: Base Functionality, Email Protection, Network Protection, Web Protection, Wireless Protection
Firmware version: 9.006-5
Pattern version: 45648
I will try to upload screenshots of my configuration.
Thanks for any help!
Andrew
I am trying to set up a Sophos firewall. We have several public IPs and I need to set up NAT for several of our servers. For starters, I tried to set up DNAT for terminal server services into one server on our main wan public IP, and then terminal servers into another server on one of our other additional public ips. The DNAT that I set up for the server on the main WAN ip works, but the DNAT using the additional public IP is not working. Although it could be the way I have set up the NAT translation, I believe my problem is with the additional public IP address that I have set up. Any clues as to what I am doing wrong would be creately appreciated
Notes from my install:
- performed initial setup of Sophos... set LAN interface, set WAN interface
- Tested the basics. I can get out to the internet. I can get into the web console of the Sophos using the public ip of the WAN port and port 4444.
- updated firmware
- Created DNAT rule for TerminalServer 1. Set the rule to send terminal server traffic to the WAN port to the private ip of the terminal server
- tested connecting into this terminal server from the outside and it works fine
created an additional address for our second public ip by doing the following
- interfaces and routing > additional addresses > new additional address
- I set the name
- set "on interface" to the "external wan"
- I set the netmask to /29 (255.255.255.248). I believe this is correct because this is the subnet of our public ip addresses
created a dnat rule for the second terminal server
- traffic from: Any
- using service: Microsoft terminal server services (RDP)
- going to external (wan) [connectwise_public] (Address)
- destination translation: Connectwise_private (this has the internal ip of the server)
- automatic firewall rule selected
- log initial packets selected
- I tried to test from the outside, but it is not working. From the outside, I am also unable to connect to the web console of the sophos using the additional public ip and port 4444. But I can connect to the web console using the main WAN public IP. If I edit just the "going to" and point to just the external WAN address, I can RDP into the terminal server using the man WAN ip.
- I removed the dnat rule and tried a Full NAT rule. Same results.
- I read a forum post that suggest I set the netmask of the additional public ip to /32 (255.255.255.255) instead of /29. I tried this but it did not work either
- old firewall is currently in place
- Information about my Sophos:
Sophos UTM 9
Model: ASG120
Serial: A170613AD6813B7
License ID: 000000
Subscriptions: Base Functionality, Email Protection, Network Protection, Web Protection, Wireless Protection
Firmware version: 9.006-5
Pattern version: 45648
I will try to upload screenshots of my configuration.
Thanks for any help!
Andrew
↧
[bug][9.1]input/output error
Hi All
Error whist trying to access specific webpage.log below and screenshot attached
Tried with safari 6.0.4 and FF21 with mac OSX 10.8.3
Thanks
Error whist trying to access specific webpage.log below and screenshot attached
Tried with safari 6.0.4 and FF21 with mac OSX 10.8.3
Code:
2013:05:16-23:29:33 ***** httpproxy[17371]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.2.15" dstip="216.239.205.215" user="" statuscode="502" cached="0" profile="REF_CnNPwVRtng (Internal Users)" filteraction="REF_DefaultHTTPCFFBlockAction (Internal Users)" size="2515" request="0xcf91628" url="https://registration.o2.co.uk/o2/webtopup/mobiledetailsprepare.do" exceptions="" error="Input/output error" country="United Kingdom" category="105" reputation="neutral" categoryname="Business"↧