Tag Archives: sophos

Bypass stateful firewall on a Sophos XG

Usually, bypassing a firewall is not the best idea. But sometimes you have to. One case, where you want to bypass a firewall, is asymmetric routing.

MichaelGaida/ pixabay.com/ Creative Commons CC0

What is asymmetric routing? Imagine a scenario with two routers on the same network. One router offeres access to the internet, the other router provides access to other sites with site-2-site VPN tunnels.

Asymmetric Routing

Host 1 uses R1 as default gateway. R1 has static routes configured to the networks reachable over the VPN, or it has learned them dynamically using a routing protocol from R2. A packet from host 1 arrives at R1, is routed to R2, and is sent over the VPN tunnel. The answer to this packet arrives at R2, and is sent directly to host 1, because host 1 is the destination. This works because R2 and host 1 are on the same network. This is asymmetric routing, because request and answer go different ways.

In case of routing, this is not a problem. But if R1 is a firewall, this firewall might be stubborn, because it does not see the whole traffic.

Bypass the stateful firewall

I recently had such a setup due to some technical debts. The firewall dropped that “Invalid Traffic”. Fortunately, there is a way to bypass the statefull firewall. You can create advanced firewall rules using the CLI. There is no way to create these rules using the GUI. And this only applies to the Sophos XG (former Cyberoam products).

Login to the device console and select option 4. Then enter on the console the following commands, one per destination:

Make sure that you have a static or dynamically learned route to the networks. This is not a routing entry, it only tells the firewall what traffic should bypass the stateful firewall.

Sophos UTM Home Edition license expired

Sophos offers a free license of their UTM firewall for private use. The product was originally developed by Astaro and since these days I use it at home. After the merger with Sophos I switched to the new Sophos UTM 9, still using my old license. I use it to seperate my test VLAN from my normal VLAN, and I use it as proxy with antivirus scanning for all my devices (iPhone, iPad, laptop etc.), but the UTM can do a lot more than this. This morning I wanted to read my Twitter timeline on my iPhone but I got no connection over WLAN. After disabling the proxy it worked fine. I took a look at the admin interface of my UTM and what did I see? An expired license. WTF?!

UTM_expired_license

So I needed a new license file. I couldn’t imagine, that Sophos canceled all the feature for home uses. I went to the Sophos homepage, but I hadn’t a login for MyUTM. So I decied to register for a new UTM download to get credentials for the MyUTM website. After a short time I got an e-mail with the desired credentials. I logged in and downloaded the new license file.

UTM_myutm_license

After the installation of the new license file, everything was fine again.

UTM_active_license

As you notice, the new license has an expiration date. So better schedule an alarm to get a new one, before you miss your family IT SLAs. Nothing is worse than to have wife and kids complaining about not working IT services at home. ;)