Like in previous posts, I’m skipping the normal “junk” (installation). I’ll come back to it later, but I want to cover this right away. The reason for this, is that the port forwarding (NAT) section is …. beyond confusing, and I think completely unnecessary.
To anyone from Sophos reading this, please, fix the UI. It’s broke, stupid and actively harms your user base. Unless the goal is to force administrators to pay for training on how to use the clusterfuck that is the new UI …. you’re completely failed here. COMPLETELY.
That said, let’s cover how to successfully forward ports on Sophos XG Firewall.
WARNING: If you’ve already read through this, re-read. Things have changed. Some stuff didn’t work right… and broke access internally to the forwarded ports (in my case, web traffic).
Once you’ve set up your Sophos box, it’s time to set up NAT.
First, Click on the “box” icon at the bottom. Open the “Polices” section and click on “Network Address Translation”.
first second first thing to do is to click on the Shield button, the one with the checkbox on it. It is located on the bar on the left side.
This will bring up the “Policies” page. By default, you should only have one, that allows “everything” effectively (so no, it’s not as draconian as the previous versions, for better or worse).
Click on the “+ Add Firewall Rule”, and select “Business Application Rule”.
Set the position to whatever you want, but set the “Application Template” to “Non-HTTP Based Policy” (even if this is for a web server, as the HTTP template is much more complicated).
Set the “Rule Name” to whatever you want (but it should be something meaningful). Now for the fun (and confusion part).
The first section to mess with here is the “Source”.
This is where the traffic is coming from. Specifically, you want to select your WAN adapter (and thank you Sophos for no longer referring to it as such). For my system, this is Port 2. You should have no exceptions here (that I’m aware of).
Set this to “Any”. Don’t set an Exception here (not needed, I think).
For the “Hosted Server”, this
… is the part that doesn’t make any fucking sense. You’d think that this means the server that hosts the actual site. It’s not. “It is the public IP address through which users access an internal server/host over the Internet.” Why this needs to be repeated twice …. I don’t fucking know. It’s not needed twice, but I’m leaving all the edits in here, just to see how confusing this is. It’s incredibly complicated, and it really shouldn’t be.
But select “WAN”, and the select the Port that you used for above, and this time it should list the public IP address for your connection.
(ignore that I have Port1 added as an exception, I was testing something out)
Now, for the “Protected Application Server(s)” section, you want to set the Zone to “LAN”. Then you want to set the “Protected Application Server(s)” to the device in question.
Also, do not check the “Forward All Ports” option here. You only need the explicitly defined ports forwarded.
And then to the actual port forwarding section. This section really exemplifies Sophos XG: One Step Forward, Two Steps Back.
You can only specify TCP or UDP for the protocol. Yup, that’s right. If you want both, you need to create TWO rules. Bitching aside, they do allow to you actually specify a list of ports now! So you can add 80, 443, and whichever others you need for your web server. No more 20 rules just to enable everything, unless you want. That’s a huge improvement here.
For the post part, you’re going to want TCP here for most web servers. But check the service you’re forwarding to make sure.
I’ve used “ARRAKIS” for the web server’s name, and I’m forwarding HTTP (port 80) and HTTPS (443), and I’m doing it for TCP and UDP (so yes, two separate rules here).
In the “Routing” section, enable the “Rewrite source address (Masquerading)” option, and set the “Use Outbound Address” to “MASQ” (alternatively, you can create an entry for the server and specify it here, but it’s not needed apparently).
After you’ve set that, click on “Save”, as there isn’t anything else that you need to create. Just save it, and create the next rule. Feel free to use GRC’s ShieldsUp! service to verify if the port is open. It’s a great service (GRC’s ShieldsUp, that is) and works well.
Okay, now that I’ ve gotten it working and have had a chance to cool off a bit… there is one really nice improvement here. The port forwarding rules actually do tell you how much traffic has gone through them. So you can see how active they’ve been, or even if they’re necessary.
Next, I will probably cover the installation or web filter!