Avatar of Frank Angelini
Frank Angelini
Flag for United States of America asked on

Sophos XG 115 Appliance Set-up Issues

Set-up issues

I will preface this by saying I had a UTM120 for three years with the UTM9 OS and right now thinking boy I miss those days.  I was told that my appliance was nearing end-of-life so to renew licensing I went with the XG115.  I had configured UTM9 on my own and generated help desk cases if issues arose.  This appliance is quite a bit different.  Firmware XG115 (SFOS 17.0.0 GA) so on the latest firmware.

What I am trying to resolve right now is that any type of web surfing is extremely painful.  I have an on-premise Exchange server so port 443 is being forwarded to it but I also have the default network rule of WAN to LAN all ports and all services are open.  I have a similar network rule that WAN to LAN port 443 is open thinking of other workstations that initiate SSL traffic it will find its way back to the device that initiated the traffic.  Let's face it.  Most web sites are https.  I am constantly being warned that the certificate cannot be verified and I have to click to still access the site or create an exception for the site depending on the browser.  I cannot log in using an account to any web site.  Some sites I can't even create the exception in Firefox.  I can't use the StartPage search engine.  Amazon looks like crap.  No pictures and just a bunch of links.

A little bit on the network.  Uverse gateway goes to a Cisco ASA appliance that I consider my perimeter (and why not have another layer of defense !).  The XG is in bridge mode.  For a time I would go to my OWA site for my on-premise exchange server and would get certificate errors there to (not up for renewal for another two weeks yet).  The ASA is listed as the Gateway for the XG in the WAN port.  The Lan port on the XG was plugged into my SG300 Cisco Switch.  I don't go too crazy with the security on the switch.  Just the default VLAN1 with port security tied to the MAC address of the device using the port.  This configuration worked well with UTM9.

I get the feeling that some of the traffic is getting recognized as DDOS or TCP Flooding and discarded judging by what I see in the logs.  I did click on the setting for allowing dynamic routing on the WAN port.  I also made the XG the default gateway for the network.

Windows update appears to work.  I have slimmed down security until I figure out the issue.  Not using IPS on any of the firewall rules yet.  I can connect to my network via RDP, SSH, FTP, my IP Cameras, and other things which use Business Application rules.

Under Web > General Settings I deselected "Block Invalid Certificates" and then was able to use ADSM to get to my ASA Appliance otherwise that was a problem too.  HTTPS Scanning Certificate Authority is on the default SecurityAppliance_SSL_CA.  I know I had issues with this option on the UTM9.

Most logs are empty but Firewall and IPS have a lot in them.  Attached are from IPS logs.  I see blocks for cloudflare but willing to bet part happens when I go to the Amazon Web Site.  Notice lots of TCP Floods and the number of packets dropped.

I have other issues but this is priority # 1 !  If anyone has ideas I would appreciate your assistance !  Thank you.
Hardware FirewallsSophosCiscoNetwork SecurityNetwork Architecture

Avatar of undefined
Last Comment
Frank Angelini

8/22/2022 - Mon
Scott Kunau

When you renewed or upgraded to the new appliance and hence new OS (XG vs. SG/UTM) was standard or premium support included? Did you purchase direct or through a Sophos partner? (My company is one and we do our best to solve issues but engage tech support when necessary even though it sometimes takes a while to reach a resolution).  Our main firewall engineer may very well be able to help you but I'm not sure how available he is today and I'm not sure if at all you can contact me as we're not supposed to solicit support work here.

If you can, I'd start immediately by opening a ticket with Sophos support. There was supposed to be a utility that would help you migrate your configuration on the SG/UTM 9 appliance into the XG appliance but I don't know if it was ever released.
Frank Angelini

I have Standard support but I can call 24x7.  I bought the firewall through Firewalls.com and they are a Sophos Partner.  I have a back-up of my configuration before replacing the appliance but was told that the OS is too different so it would not do me any good.  If there was such a utility/tool that would be way cool !

I will be calling Sophos support again probably this coming Friday as I have an existing case.  Sometimes I call and I am on hold for up to an hour before the call gets picked up.  They asked for Support access so I give it to them but then there doesn't seem to be progress and I wonder if anyone spent the time to review the logs.  They want to plug in a laptop to one of the other ports and see if I still experience the same issues.  It has been difficult to take this much time out of my schedule to resolve this.  I didn't need this much help with SG/UTM9.

I can surf better on Internet Explorer because it will let the site content come down from the web site.  However, the authority for the certificates on all these web sites is still not getting recognized for verification of the certificates.  This can't be that difficult to narrow down what is causing certificates to not get recognized !  I can't log into any web sites.

I thought I would try the forums as perhaps someone else has run into this and I would get a quicker resolution.  Thanks for responding !
Scott Kunau

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Frank Angelini

That would be great.  If I don't make progress with Sophos support on Friday I wouldn't be adverse to paying your Firewall Engineer to get this resolved.  I have heard of some people demanding to go back to UTM9 on the XG and Sophos has allowed it.  I would ask for that as a last resort and not sure if it is still in development.  I originally planned on an upgrade to a SG model but the salesman at Firewalls.com talked me into the XG as it is more robust and better reporting features.  I only upgraded because my old appliance was approaching end of life.  Thanks again.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Kyle Santos

If I don't make progress with Sophos support on Friday I wouldn't be adverse to paying your Firewall Engineer to get this resolved
Might I suggest using Experts Exchange Gigs platform to streamline this process for you two.  Let me know if you have any questions about how this works.
Also, here are our support pages for Clients and Freelancers when they use Gigs.  http://support.experts-exchange.com/customer/portal/articles/2290148

All the best to you two.  Happy Thanksgiving.
Frank Angelini

I made significant progress on this issues.  I am going to put this up for anyone that might run into this as it might be difficult to find and hiring professional services can be costly !

First of I had implemented DDOS Flood Prevention and there are four settings to be aware of.  You can go do Intrusion Prevention > DoS & Spoof Protection to see these settings.  I disabled all these.  I may revisit this in the future and play with the thresholds but even going to Amazon's web site would trigger this protection and packets were being dropped.

DDOS Flood Setings.
I then went to Web on the left side of the navigator bar and I believe it is under HTTPS Decryption and Scanning.  The HTTPS Scanning Certificate Authority (CA) was set to "SecurityAppliance_SSL_CA".  I don't know what that is and it is dated 2015.  I changed it to the default which is the XG itself.  The XG is the one doing the scanning on your behalf.  See image #2.  There are two other settings on this screen and it depends on your comfort level.  I have internal assets with aged certificates that I don't plan on buying new certificates for so I turn off the option to "Block Invalid Certificates".

HTTPS Scan Settings.
Now you can go the left navigation bar and look for Certificates.  It might be under Certificates > Certificates Authorities > Default CA or Objects > Identity > Certificate Authority but it depends on what firmware level you are on.  In any event find default on your list and download a copy of the cert for yourself by clicking on the down arrow graphic.  Now you have the cert you can install within Windows and/or your browsers.  See image #3.

Download Certificate.
You can now install these certificates on your Windows computers or push it out on GPO which I plan to do soon.  You will want to install the certificates in the Trusted Root Certification Authorities Store on the local computer using MMC, powershell, or command line depending on your preference.  See Image #4.

Certificate Store for Certs.
You could also be inclined to install the certificate into the store on the browser.  For instance you might need to get into the settings on the browser by going to "Settings - HTTPS/SSL - Manage Certificates - Trusted Root Certificate Authorities" depending on which browser you are using.

This combination of changes worked for me and it is nice that I can now surf the web.  The DDOS Flood settings also caused a big drop in my Internet speed so its nice that I have more speed now.

I have other issues to work on now with this device so I will start researching them.  Thank you.
Frank Angelini

Thanks for your assistance.  I put the solution at the bottom of this question so hopefully someone has this same issue will be able to get an answer.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.