Sophos UTM and Policy Based Routing

Ok, so I have to admit that the Sophos XG is pretty good when it comes to Policy Based Routing (PBR). The XG worked pretty nicely for me running on my somewhat overstretched HP N54L micro server VMware host however upgrading to anything beyond XG v15 became painful. Even at v15 the UI seemed slow and I fancied seeing if this was having any impact on download speeds so I reverted back to a UTM9 vanilla VM. After setting everything up I thought I’d nailed policy based routing on the UTM9 to allow my funky PIA VPN and non-VPN’d traffic to operate as it should however I kept running into problems when trying to access the UTM user portal or my HTTPS service published via the Web Application Firewall (WAF).

2017-06-28 20_11_12-Photos

By default I wanted all traffic to leave via the interface connected to the pfSense (and therefore the VPN) and the policy routes would act as exclusions sending particular traffic (anything like SIP or gaming ports) out of the non-VPN interface. Sadly this messes up user portal and WAF traffic entering the non-VPN interface as I believe it is trying to asymmetrically route back over the VPN tunnel with a different source IP from the clients perspective. I even created a rule that would send traffic for destination ports >= 1024 via the non-VPN’d interface to no avail.

The only way I could make the published HTTPS server work was by ditching the WAF and having a DNAT rule which seemed to reply back to the client over the correct interface – but that didn’t solve the traffic to the user portal of the UTM itself.

I was able to get the user portal working by changing the default gateway from the pfSense interface to the normal VM Router interface, but this negated my policy routes as all traffic by default would go via the non-VPN’d route unless stated in the policy routes. I’ve managed to work around this by being more creative with the routes however I do feel things are more granular and intuitive on the Sophos XG appliance. I really must find a low powered PC with a NIC that has VLAN support or two NICs and use a more up to date version of XG!

Also in my numerous hours tinkering I managed to lock myself out of the UTM completely by creating a policy route for all traffic, including that destined for the UTM itself. Nothing would respond and I started to hover over the ‘go to’ button on the most recent VMware snapshot, but persisted a little with Google to find some guides. In the end I had to reset the root password by following the ‘All password reset procedure’ here. After that I needed to disable the offending policy route via the CLI which followed this guide here HOWEVER after entering the commands “status=0” without quotes, you also need to type “w” and hit return. I battled for some time following the guide and wondering why the route was never disabling. For full clarity the process is as follows:

  • Get into the CLI either by SSH, a serial console session or via the screen
  • Log in as root
  • Type the following one line at a time
    • cc
    • OBJS
    • route
    • policy
  • Then use the TAB key twice to get a list of policy routes
  • REF_RouPol will automatically be entered. Fill in the rest of the line with the relevant policies name such as “REF_RouPolAnyFromAnyTo” and hit return
  • Type the following
    • status=0
    • w
    • exit
  • Your policy rule is now disabled

2018-02-22 21_03_52-Sophos UTM on localhost.localdomain


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s