Register Now

Login

Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

How To Configure Port Forwarding In Sophos XG firewall

Here in this article we will learn how to configure port forwarding (DNAT) in sophos XG frewall and also how to troubleshoot port forwarding in sophos XG firewall.

Configure port forwarding in Sophos XG firewall:

DNAT rule:

Port forwarding is used to access internal hosted server from external network. Here my requirement is to access internal RDP server from external network on different port. RDP by default will listen on port 3389, but when some one is accessing RDP on port 4678 it should connect to RDP server on 3389.

Network setup
Port forwarding

So first step is to create DNAT rule in sophos Xg firewall, such as way whoever is connecting to firewall public IP(192.168.0.158) address on port 4678 should connect to internal RDP server(172.16.16.18) on port 3389.

Click on Rules and Policies and add DNAT rule. Here is the sample DNAT rule:

DNAT rule
DNAT rule

Fill up the fields based on your requirement:

Rule name: Enter any name

Rule Position: Try to keep it top, so that traffic will not match any other rule. If you are sure about all the other rules then you can drag it to any position.

Original Source: Keep it any, since traffic is coming from the external network we will not be sure about those IP address. If you want to allow only specific range of Ip address, you can add them in the original source section.

Translated Source: Keep it as original, as we were not doing SNAT here.

Original Destination: Enter your firewall public IP, you should enter the IP address on which users are connecting.

Translated Destination: Enter internal server IP address, so that traffic hitting on the firewall will be mapped to the internal server IP address.

Original Service: Enter original port on which users are connecting. Here i have added port 4678, since that is my external port in this example.

4678 port
External Port

Translated service: It should be the internal service, here in this example traffic should forward to port 3389.

3389 port
Internal Port

Inbound Interface: Keep it as your public IP interface, since traffic is coming through that interface.

Outbound interface: Select interface on which internal server is hosted.

Extra rules

Try not to enable these rules, sometimes if you do not have proper understanding on network these rules will create mess.

Even if you disable these rules, you can achieve the actual requirement by following this article.

Now we have created DNAT rule, lets create firewall rule.

Firewall Rule:

Now we will configure firewall rule to allow the port forwarding traffic. Here is the sample firewall rule:

DNAT rule
Firewall Rule

Fill up the firewall rule based on your requirement

Name: Enter any name

Action: Keep it accept as you are accepting the traffic

Log traffic: Enable this option to enable logging for this firewall. If we do not enable log traffic option in the firewall rule, concerned firewall rule traffic will not be shown in the log viewer.

Rule Position: Keep this firewall rule as top, if you are sure about your all firewall rules you can drag it to your required position.

Rule Group: Keep it as None, so that traffic will not be attached to any group. If you have already created group for DNAT rules, add this rule under specific group.

Source Zone: Keep it WAN, if you want access only from the external network. In case if you want access from your LAN network add LAN zone as well.

Source Network: Keep it as ANY. If you want access only from specific range of IP address enter that range.

Destination Zone: Keep it as LAN, since server is hosted in LAN zone.

Destination Network: Keep it as your public IP, since all traffic hit the public IP address of firewall.

Service: Here enter your external service port, here in this example we should add port 4678. I will suggest you to add both internal and external service.

Now you have configured firewall rule also, click on save the rule.

Troubleshoot Port Forwarding:

We will learn how to troubleshoot port forwarding.

Step-1:

First we need to make sure firewall can connect to RDP server on specific port, here in this example it is port 3389.

Login to the sophos firewall CLI, you can use following article for the same:

SSH

Enter advanced shell and type this command: telnet <internal-ip> <internal-port>

I will use this command “telnet 172.16.16.18 3389” and check if the firewall is able to reach the internal server on port 3389

telnet
Telnet

In my case its not connecting, if you get the same error you should check at your network level about this issue. This issue is not related to firewall, might be on specific port server is not running or server could be offline.

Step-2:

We need to take tcpdump and observe what is happening with the traffic. For that we need to execute this command.

We can capture based on port: “tcpdump -nei any port 4678 or port 3389” or we can also capture based on source IP addresss “tcpdump -nei any host <source IP>”

tcpdump
Traffic

From the above capture we can understand traffic is hitting the public IP(192.168.0.158) of firewall and NAT to the internal IP address (172.16.16.16)

Here my internal RDP machine is offline, so i was observing only [S] packets. There were no reply packets from the internal server.

Check Traffic Is Matching Correct Firewall Rule And Nat Rule

We will check whether traffic is matching the correct firewall rule and NAT rule. If traffic does not hit the correct firewall and NAT rule, it would be rejected by sophos firewall.

So now my firewall rule ID is “7”

Firewall rule
FW rule ID

NAT rule ID is “5”

NAT rule
NAT rule

Click on Diagnostics and Packet capture as shown below:

Packet capture tab
Packet Capture

Enable packet capture and apply the filter. Here you can filter based on ports or source IP. Now i will use ports (port 4678 or port 3389) as shown in image below and capture the traffic.

Packet Capture
Packet capture

We can notice in the above image, clearly the traffic is matching NAT ID 5 and Rule ID 7 which are correct rules.

Remove Connection Tracking Table:

As a final resort, if the port forwarding is still not working if its still matching the wrong firewall rule and NAT rule. Please login to sophos XG firewall >> Device management >> advanced shell. You can use following article to connect to sophos XG CLI:

Putty

Execute this command : “conntrack -F

Note: If we execute the above command, it will disconnect all the sessions in the firewall and they will be reconnected immediately.

Issue will be resolved

In this way we can troubleshoot port forwarding in sophos XG firewall. In case if you still have doubts feel free to contact us.

Hope this article helps you.