Register Now

Login

Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

Website Is Not Accessible Through Sophos XG

Here in this article we will troubleshoot the issue when website is not accessible through sophos XG firewall.

Issue:

User is not able to access website through sophos XG firewall. He confirmed user is able to access the same website without sophos XG firewall.

Website unreachable
Website unreachable

Troubleshooting:

This issue could be of various reasons:

  1. If MTU value sent by web server is less than our end machine, then the website might not be accessible.
  2. If website is blocked by security policies in sophos XG firewall, then website is not accessible.

Resolution-1: For MSS Value Issue

Check MSS value sent from the website. You can use this command “ping firewallgeeks.com -f -l MSS” to check maximum MSS value on which website is responding. In place of MSS, give values starting from “1440” and increase above with increment of 10. Once the website is responded back, note down the MSS value and enter in firewall “WAN” interface.

MSS value on the WAN interface should be less than website responding MSS value

Suppose this webiste “firewallgeeks.com” responding on MSS value “1452“, we can check by executing the above command in command prompt

Working MSS value
Working MSS value

In case if we use “1453” as MSS value, it will not work as shown below

Non working MSS vaue
Non Working MSS value

So i need to keep MSS value as “1452” in firewall WAN interface. Click on Network >> Interfaces tab and identify specific WAN interface.

WAN interface
WAN interface

Under advanced settings, click on override MSS value and change it to the value on which website is responding. I will suggest you to do it in down time to avoid interruption.

Advanced settings
Override MSS

Now try to access website it should work.

Note: It will have little disruption over the internet connection when we change the MSS value.

Resolution-2: Website Blocked By Security Policies

Some web sites could be blocked by the security policies in the firewall rule. In that case, you need to create plain FQDN rule on the top for that specific website. Now i will create plain FQDN firewall rule to allow “firewallgeeks.com” website.

Create FQDN host under “Host and Services” and add FQDN host

firewall geeks host
FQDN host

Click on “Rules and Policies” and click on Add new firewall rule

Select firewall rule on top and rule group to None

Source Zone: ANY

Destination Zone: ANY

Source Networks: ANY

Destination Networks: Add created FQDN host

Service: ANY

Click on create linked NAT rule and in the translated SNAT keep MASQ as shown in image below

click linked nat rule
Click
linked nat rule
MASQ

Deselect all policies under specific firewall rule.

firewall rule
Firewall rule

Now save the firewall rule.

Now you will be able to access website.

Resolution-3:

Some websites will be incompatible with DPI engine, so you need to go to concerned firewall rule and enable “use webproxy” instead of DPI engine. You can see the below screenshot

Web proxy

Try accessing the website again, it will resolve the issue.

Resolution-4:

Sometimes if website is not accessible it could be due to deep packet inspection that is causing by IPS and ATP. In those cases you need to identify the firewall rule ID that website is using. Note down the firewall rule ID.

Consider this website is going through firewall rule ID and its not accessible

default firewall rule
Firewall rule

Please login to Sophos XG firewall CLI >> Device console, you can use below article for the same

Putty

Execute this command “set ips ac_atp exception fwrules <firewall rule ID>” to exlclude application classification and ATP. Suppose if you want to bypass firewall rule ID “5“, you can execute the below command it will exclude firewall rule ID “5

set ips ac_atp exception fwrules 5

fw rule 5
IPS ATP exclusion

Note: To remove the firewall rule exception from Application Classification and ATP, execute the following command.

set ips ac_atp exception fwrules none

fw rules none
IPS ATP none

To view the bypass settings, you can execute below command:

show ips-settings

ips settings
IPS settings

Now you can try to access the website, it should work.

If you do not want to create this exclusion for all traffic, you can create firewall rule for this website alone on the top of all firewall rules. Suppose if facebook website is not accessible, you can create firewall rule on top for Facebook website alone as shown below

firewall rule facebook
Firewall rule
facebook host
facebook host

As shown in the above image, you can create FQDN host for facebook website and add it in the destination network. Now all the traffic for facebook website will be routed through this firewall rule (Make sure this firewall rule is on top).

Note down the firewall rule ID and you can create application classification and ATP exclusion just for that firewall rule, so that rest of the firewall rules will not be impacted.

Hope this article helps you.