Sophos XG Firewall Port Forwarding

Like in previous posts, I’m skipping the normal “junk” (installation). I’ll come back to it later, but I want to cover this right away. The reason for this, is that the port forwarding (NAT) section is …. beyond confusing, and I think completely unnecessary.

To anyone from Sophos reading this, please, fix the UI. It’s broke, stupid and actively harms your user base. Unless the goal is to force administrators to pay for training on how to use the clusterfuck that is the new UI …. you’re completely failed here. COMPLETELY.

Like in previous posts, I’m skipping the normal “junk” (installation).  I’ll come back to it later, but I want to cover this right away. The reason for this, is that the port forwarding (NAT) section is …. beyond confusing, and I think completely unnecessary.

To anyone from Sophos reading this, please, fix the UI. It’s broke, stupid and actively harms your user base. Unless the goal is to force administrators to pay for training on how to use the clusterfuck that is the new UI …. you’re completely failed here. COMPLETELY.

That said, let’s cover how to successfully forward ports on Sophos XG Firewall.

WARNING:  If you’ve already read through this, re-read. Things have changed. Some stuff didn’t work right… and broke access internally to the forwarded ports (in my case, web traffic).


 

Once you’ve set up your Sophos box, it’s time to set up NAT.

First, Click on the “box” icon at the bottom. Open the “Polices” section and click on “Network Address Translation”.

 

The first second first thing to do is to click on the Shield button, the one with the checkbox on it. It is located on the bar on the left side.

Port Forwarding - Dashboard

This will bring up the “Policies”  page. By default, you should only have one, that allows “everything” effectively (so no, it’s not as draconian as the previous versions, for better or worse).

Click on the “+ Add Firewall Rule”, and select “Business Application Rule”.

Port Forwarding - Add Rules

Set the position to whatever you want, but set the “Application Template” to “Non-HTTP Based Policy” (even if this is for a web server, as the HTTP template is much more complicated).

Set the “Rule Name” to whatever you want (but it should be something meaningful). Now for the fun (and confusion part).

Port Forwarding Rule Type

The first section to mess with here is the “Source”. This is where the traffic is coming from. Specifically, you want to select your WAN adapter (and thank you Sophos for no longer referring to it as such). For my system, this is Port 2.  You should have no exceptions here (that I’m aware of).
Set this to “Any”. Don’t set an Exception here (not needed, I think).

For the “Hosted Server”, this … is the part that doesn’t make any fucking sense. You’d think that this means the server that hosts the actual site. It’s not“It is the public IP address through which users access an internal server/host over the Internet.”  Why this needs to be repeated twice …. I don’t fucking know.  It’s not needed twice, but I’m leaving all the edits in here, just to see how confusing this is.  It’s incredibly complicated, and it really shouldn’t be.

But select “WAN”, and the select the Port that you used for above, and this time it should list the public IP address for your connection.

Port Forwarding - Source

(ignore that I have Port1 added as an exception, I was testing something out)

Now, for the “Protected Application Server(s)” section, you want to set the Zone to “LAN”. Then you want to set the “Protected Application Server(s)” to the device in question.

Also, do not check the “Forward All Ports” option here. You only need the explicitly defined ports forwarded.

And then to the actual port forwarding section. This section really exemplifies Sophos XG: One Step Forward, Two Steps Back.

You can only specify TCP or UDP for the protocol. Yup, that’s right. If you want both, you need to create TWO rules. Bitching aside, they do allow to you actually specify a list of ports now! So you can add 80, 443, and whichever others you need for your web server. No more 20 rules just to enable everything, unless you want. That’s a huge improvement here.

For the post part, you’re going to want TCP here for most web servers. But check the service you’re forwarding to make sure.

I’ve used “ARRAKIS” for the web server’s name, and I’m forwarding HTTP (port 80) and HTTPS (443), and I’m doing it for TCP and UDP (so yes, two separate rules here).

Port Forwarding - Port Forwarding

In the “Routing” section, enable the “Rewrite source address (Masquerading)” option, and set the “Use Outbound Address” to “MASQ” (alternatively, you can create an entry for the server and specify it here, but it’s not needed apparently).

Port Forwarding NAT Rules - Because MASQ

After you’ve set that, click on “Save”, as  there isn’t anything else that you need to create. Just save it, and create the next rule.  Feel free to use GRC’s ShieldsUp! service to verify if the port is open. It’s a great service (GRC’s ShieldsUp, that is) and works well.

 

 

Okay, now that I’ ve gotten it working and have had a chance to cool off a bit… there is one really nice improvement here. The port forwarding rules actually do tell you how much traffic has gone through them. So you can see how active they’ve been, or even if they’re necessary.

 

Next, I will probably cover the installation or web filter!

Author: Drashna Jael're

Drashna Jael're

18 thoughts on “Sophos XG Firewall Port Forwarding”

  1. Google Chrome 46.0.2490.86 Google Chrome 46.0.2490.86 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
    Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

    yes this seems like an expansive set of things to do, counter to the ‘simplicity’ claim. But with regard to the “hosted address” part, this would seem logical only to someone who had multiple IP addresses on the WAN. does this part work for IPV6 too?

    1. Google Chrome 46.0.2490.86 Google Chrome 46.0.2490.86 on Windows 10 x64 Edition Windows 10 x64 Edition
      Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

      Oh, I definitely understand that. However, it was still handled better in Sophos UTM. You could absolutely specify that (“External (Network/Address/etc)”). Meaning, it was still possible. Here, it’s a lot more confusing for new users. Essentially, it feels like they want to force you to RTFM or pay for training courses….

  2. Google Chrome 46.0.2490.86 Google Chrome 46.0.2490.86 on Windows 10 x64 Edition Windows 10 x64 Edition
    Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

    Wow, I am feeling that animosity here, don’t hold back. I am experimenting with XG right now must say it is not for the faint at heart. Some things are easy while others are unbearably confusing. They took the simple and made it hard. A home version that is not for the home. Nice write up and it will help with the next step as that is where i am at.

    1. Google Chrome 46.0.2490.86 Google Chrome 46.0.2490.86 on Windows 10 x64 Edition Windows 10 x64 Edition
      Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

      Not only have I not held back (well, a bit here, as I didn’t want it too hostile, but wanted my frustration to definitely show), but I’ve posted on the new Sophos forums.

      The XG product looks great, but when they consolidated elements, they did so in a counterintuitive way, and removed others. Their whole “3 clicks away” thing is BS, as most features were already 3 clicks away.

      Additioanlly, I’ve had to update this guide, as …. port forwarding the web service ports broke access on them for the local system. Meaning my server was no longer able to connect on ports 80 and 443. That’s … … ridiculous that I had to go to extra lengths that I didn’t in Sophos UTM.

      In fact, I’m probably going back to the UTM product because it was better. The web filter definitely performs better. But you can’t fix any issues it has. No exceptions, no rules, no way to add sites to categories, no way to use a custom CA Certificate for the web filter, etc. So many bad, horrible changes. I’ll take the second or two delay in Sophos UTM to be able to CUSTOMIZE AND FINE TUNE it.

      I mean, it really feels like Belkin bought the company.

      1. Google Chrome 46.0.2490.86 Google Chrome 46.0.2490.86 on Windows 10 x64 Edition Windows 10 x64 Edition
        Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

        Chris by any chance do you try and do an upgrade install from UTM9? When I was going threw some docs it showed the options but not sure if its active yet or not. I am just wondering how much stuff it would bring over and if Netflix would keep working? That would shed some light on how to fix it ourselfs. I am having a real love hate for this new product but I want to give it more time before I restore UTM9.

        1. Google Chrome 46.0.2490.86 Google Chrome 46.0.2490.86 on Windows 10 x64 Edition Windows 10 x64 Edition
          Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

          Nope, I did a clean install. Is the only option available right now.
          I beleive that I saw plans for next year to have an upgrade path, but I’m not sure.

          That said, if you want to have a working web filter *enabled* and Netflix *working*, it’s 9.3 for now.

      2. Google Chrome 46.0.2490.86 Google Chrome 46.0.2490.86 on Windows 10 x64 Edition Windows 10 x64 Edition
        Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

        Ouch. Belkin, that’s really harsh. Not feeling the desire to spend this much time on this product. I will try again but if I do not get anywhere I will stick with Untangle.

        1. Google Chrome 46.0.2490.86 Google Chrome 46.0.2490.86 on Windows 10 x64 Edition Windows 10 x64 Edition
          Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

          It s really harsh, but the product really is that limited.

          In UTM, you could exclude sites from the web filter. I’ve found no way to do that on XG Firewall. So it WILL break things like Netflix on mobile devices (including the Roku and the like).
          Additionally, the file size limit is ~2MBs for the scanner, which is unbelievably small.

          And the thing that bothers me the most is that the firewall allows all outgoing traffic by default, without an easy way to change that (I like being able to control this).

          But probably the biggest issue? All the settings with absolutely no explanation to what they do.

          1. Google Chrome 47.0.2526.106 Google Chrome 47.0.2526.106 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
            Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

            Sorry you said in one of your comments that XG allows all outgoing traffic by default. That’s not what I found, after the install I had no rules at all and had to add an explicit allow rule before I could get any outbound traffic working. Maybe they’ve changed something in my version, I’m running 15.01.0.

  3. Google Chrome 47.0.2526.106 Google Chrome 47.0.2526.106 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
    Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

    Hey great post! I too have been struggling with http/https forwarding, I am new to XG and wanted a firewall that would enable me to host multiple web servers behind a single IP and forward depending on the http FQDN. But like you I am finding the GUI really confusing.

    That was a great tip about setting the “hosted server” to use the WAN port, I had mine set to LAN as I naturally assumed it meant the actual web server.

    The problem I’ve got now is in order to specify the host FQDN I have to use the HTTP based policy template, and I want to forward 443 to port 8000 for a specific server/FQDN. However as soon as I enable https it asks me for a certificate – I was hoping to just forward the traffic but I guess it wants to do all it’s https inspection bollocks. Any idea how I can forward https without having to upload a cert?

    I have tried setting up an http policy without enabling https, and telling it to listen on 443 but I get an SSL protocol error.

  4. Google Chrome 47.0.2526.106 Google Chrome 47.0.2526.106 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
    Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

    Hi, so anyway, I’ve spent a couple days with this now, I am still finding the policy templates confusing but have got my https forwarding working, I ended up generating some self-signed certs and using those, it can all be done through the GUI so no need to muck about with openssl on Linux etc. I get self-signed cert warnings obviously but that’s fine for now, the main thing is I have two https servers sat behind a single IP and you can reach either from outside simply by using the correct DNS name, works great.

  5. Google Chrome 57.0.2710.94 Google Chrome 57.0.2710.94 on Windows Vista x64 Edition Windows Vista x64 Edition
    Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.27 (KHTML, like Gecko) Chrome/57.0.2710.94 Safari/537.27

    Drashna,

    I just wanted to hear you take on any improvements that Sophos has made to their XG firewall. Have you seen any progress on making this easier and better?

    Thank you

    1. Unknown Unknown on Unknown Unknown
      Jetpack by WordPress.com

      I haven’t checked since the initial release. I’ve head there have been improvements, but to be honest, I’m not going to switch until the web filtering has been significantly improved.

      Since the web filtering is a big part of why I use it, and I use the “decrypt and scan” option as well… I have no intention of moving over right now.

      That said, I do use XG Firewall for my VM lab, to isolate it form the rest of the network without having to result to VLAN tagging.

      1. Google Chrome 56.0.2924.53 Google Chrome 56.0.2924.53 on Android 7.1.1 Android 7.1.1
        Mozilla/5.0 (Linux; Android 7.1.1; Nexus 5X Build/NMF26Q) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.53 Mobile Safari/537.36

        Are you still using Sophos UTM? I like that quite a bit but the 50 IP limit makes it a non starter for me.

        1. Google Chrome 55.0.2883.87 Google Chrome 55.0.2883.87 on Windows 10 x64 Edition Windows 10 x64 Edition
          Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

          Yup, but yeah, the 50 device limit is troubling. But that’s only for the “home” license. If you’re willing to pay, you can get a full license… but that’s going to be expensive.

          That said, the limit is a soft limit, as it does give you a grace buffer.

          1. Google Chrome 56.0.2924.53 Google Chrome 56.0.2924.53 on Android 7.1.1 Android 7.1.1
            Mozilla/5.0 (Linux; Android 7.1.1; Nexus 5X Build/NMF26Q) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.53 Mobile Safari/537.36

            That’s more then I want to spend. I’m going to start testing Untangle since the at home pricing is more then fair.

          2. Unknown Unknown on Unknown Unknown
            Jetpack by WordPress.com

            In that case, it may be worth checking out the Sophos XG Firewall for you, then. It has no device limit for the home version, and the web filter is about as effective as Untangle’s.

Leave a Reply