Generator for Internet IPv4 group exceptions

This article was created with the help of a translation tool. Although we check the translation, errors in the content cannot be ruled out. Please bear this in mind when using the content. Thank you for your understanding.

The Internet IPv4 group in the Sophos Firewall contains all possible public IP addresses. But also your own, or others, which sometimes should not be included. This generator for Internet IPv4 group exceptions supports the quick customization of the predefined group and removes the desired IP addresses and networks.

tested with SFOS 19.5.x to 21.0.x

Introduction

In my last projects with Sophos Firewall I always had a problem when using the "Internet IPv4 group". If you use the object in SD-WAN rules, the packets on the firewall are routed to the WAN or to another defined gateway via the corresponding SD-WAN rule. That's fine as far as it goes. However, this is different when using the WAF from internally or DNAT Loopback. In this case, the packets should not go to the Internet, but be processed by the firewall. This is very annoying and can only be found out by analyzing the routing information very precisely in the logs or the conntrack.
The problem can also occur in other constellations where, for example, you do not want to route all public IP addresses in the SD-WAN rule. Of course, you can always make a higher-level SD-WAN rule that routes to a different location or to the firewall itself in individual cases - but it's not always nice.

At some point I no longer found the customization of the objects fun and set about creating this generator. And here is the generator for Internet IPv4 group exceptions!

When exactly does the problem occur?

The routing priority must state that "SD-WAN" takes precedence over "static routes". Only then can you run into this problem. If the priority is the other way around, I have not yet been able to observe the problem. It doesn't matter where "VPN" is in the sequence - unless public IPs are used in the VPN tunnel, in which case the issue can also occur if "SD-WAN" comes before "VPN".

How can I change the priority? Here is a guide from Sophos.

You can check them in the WebUI as follows:

Generator for Internet IPv4 group exceptions - static before SD-WAN
Static before SD-WAN (no problem)
Generator for Internet IPv4 group exceptions - SDWAN before static
SD-WAN before static (problem possible)

What does the generator do?

  • Read the small FAQ about the generator at the end of the article before using it!
  • Please also note that the exceptions you create will remain on our server for 30 minutes before being deleted. If you do not agree with this, then you should not use the generator or click on"Generate new objects". Until then, the data is only displayed in the session and is not saved. You will then only be shown the new exceptions to be created. You would then have to create the objects on the firewall yourself!

You can use the generator to exclude individual IP addresses or networks from the "Internet IPv4 group" defined by Sophos. Several IPs or networks can be entered individually one after the other. The generator shows the new IP ranges to be created and which objects are no longer required in the new "Internet IPv4 group" group.

Finally, a configuration file can be created using the"Generate new objects" button, which you can then import onto your firewall. The created configuration file only contains the new IP ranges to be created and creates a new group with old and new objects as members. The original areas and the group remain untouched!

In SFOS 20.0.1, small adjustments have been made to the areas. For older firmwares, the adjustments are adopted by importing the XML. So you don't have a to-do 😉

The predefined list from Sophos always serves as the basis. This cannot be adjusted:

Objects in the Sophos list

"1.0.0.0-9.255.255.255"
"11.0.0.0-126.255.255.255"
"128.0.0.0-169.253.255.255"
"169.255.0.0-172.15.255.255"
"172.32.0.0-191.0.1.255"
"191.1.0.0-191.255.255.255"
"192.0.1.1-192.0.1.255" (NEW in v20.0.1: "192.0.1.0-192.0.1.255")
"192.0.3.0-192.88.98.255"
"192.88.100.0-192.167.255.255"
"192.169.0.0-198.17.255.255"
"198.20.0.0-198.51.99.255"
"198.51.101.0-203.0.112.255"
"203.0.114.0-223.255.255.255" (NEW in v20.0.1: "203.0.114.1-223.255.255.255")

Operating the generator

  1. Under "Network to exclude", enter an area to be excluded from the list. The entry must always be made in CIDR notation. Even if it is only a single address (e.g. 1.1.1.1/32)
  2. Due to the subnet mask, network addresses are calculated automatically and the entire network is taken into account in the calculation.
  3. Further areas can be sent one after the other.
  4. "Reset" resets all information
  5. "Generate new objects" creates the configuration file that you can import into the firewall. From this point on, the data (the exclusions created) will be stored on our server for 30 minutes!
    The download link is only displayed once. So copy the link if necessary before you close the page.

Only areas that are not already excluded can be excluded. If you enter an area (or a sub-area) that is already excluded from the outset or by you, an error message is displayed and you can continue trying.

As always, we do not accept any liability for damage or problems that may arise from the information provided here. To be on the safe side, we always recommend carrying out a test in a test environment. Use in a live environment is at your own risk.

Generator



Versions

15.05.2024 - SFOS 20.0.1 Area adjustments adopted in blog entry and generator

FAQ

Are the created exceptions saved on the server?

Yes, but only if the TAR file is created for the import ("Generate new objects" button). As long as only the table is generated, no data is stored on the server. This file is only available on our server for 30 minutes. It is then deleted. You give your consent to this via the Content Blocker.

Where can I import the created exceptions?

The import is carried out in the classic way via "Backup & Firmware -> Import/Export -> Import". After a successful import, a new host group is available. Always upload the TAR file, not the content. Otherwise it won't work.

What are the new objects called?

Individual new host objects are called: "Internet IPv4 (x.x.x.x-y.y.y.y)".
The names of the original objects contain no fully spelled out areas!
The new host group is called: "Internet IPv4 custom group (yyyymmtt)"
The date on which the import was created is shown in brackets. The group can of course be renamed.

Is it possible to check the file to be imported and its content before importing?

Yes, you can unpack the TAR file. This contains an "Entities.xml" file. This file can be opened and read in any editor.

Is it possible to add more IP addresses or networks to an already customized group?

It is not possible to automatically update the new host objects that have already been imported. Simply create a new file using the generator and import it. Existing objects with the same name are overwritten and missing objects are added. If a new host group has been created (the names are usually given a date), the old group can be deleted. Orphaned host objects must also be deleted individually and manually - but this is very quick and easy with the reference lookup (from SFOS v20.x.x).

What happens to the old "Internet IPv4 group" group during import?

The original group and the original host objects remain unaffected by the import at all times.

How can I undo the changes made by the import?

Delete the new host group and then delete the newly created host objects (Internet IPv4 (....-....)). This can be done very easily and quickly with the reference lookup (from SFOS v20.x.x).

Do you have any further questions? Get in touch with us or write a comment! We will endeavor to reply as soon as possible.

2 Comments

Leave a Reply

Comments are not displayed directly, as they are released in moderation.


WordPress Cookie Plugin by Real Cookie Banner