macOS Network Filter Causing Issues with shared VM connections

cancel
Showing results for 
Search instead for 
Did you mean: 

macOS Network Filter Causing Issues with shared VM connections

L1 Bithead

Hi Everyone, 

 

We are a new customer for Cortex XDR and the network filter seems to be killing our ability to share a connection to our Windows VM's from our macOS host while using our SonicWall VPN. If the VPN is disconnected connection works fine, when Cortex XDR is uninstalled it also works fine, as soon as Cortex is installed the shared connection dies. Any ideas?

6 REPLIES 6

L4 Transporter

@KTaig wrote:

Hi Everyone, 

 

We are a new customer for Cortex XDR and the network filter seems to be killing our ability to share a connection to our Windows VM's from our macOS host while using our SonicWall VPN. If the VPN is disconnected connection works fine, when Cortex XDR is uninstalled it also works fine, as soon as Cortex is installed the shared connection dies. Any ideas?


Hi @KTaig ,

 

Welcome to the community!

 

Can you successfully establish a connection from the MacOS host to the VPN gateway in terms of the VPN? If so, are you seeing the route to the Windows VM subnet installed by the SonicWall VPN in the MacOS routing table? If those are working appropriately, meaning you have a successful VPN connection and a VPN route to your Windows VM, my recommendation would be to try disabling the Host Firewall Management on the Cortex XDR Agent for your MacOS device. Disabling the Host Firewall Management can be done in Endpoints > Policy Management > Extensions, Profiles > Editing your target MacOS Firewall profile and disabling the Host Firewall Management section. Once complete, are you able to connect to the Windows VM?

If that didn't help, might you be receiving alerts on your alerts table regarding the VPN or supporting processes?

--gjenkins


@gjenkins wrote:

@KTaig wrote:

Hi Everyone, 

 

We are a new customer for Cortex XDR and the network filter seems to be killing our ability to share a connection to our Windows VM's from our macOS host while using our SonicWall VPN. If the VPN is disconnected connection works fine, when Cortex XDR is uninstalled it also works fine, as soon as Cortex is installed the shared connection dies. Any ideas?


Hi @KTaig ,

 

Welcome to the community!

 

Can you successfully establish a connection from the MacOS host to the VPN gateway in terms of the VPN? If so, are you seeing the route to the Windows VM subnet installed by the SonicWall VPN in the MacOS routing table? If those are working appropriately, meaning you have a successful VPN connection and a VPN route to your Windows VM, my recommendation would be to try disabling the Host Firewall Management on the Cortex XDR Agent for your MacOS device. Disabling the Host Firewall Management can be done in Endpoints > Policy Management > Extensions, Profiles > Editing your target MacOS Firewall profile and disabling the Host Firewall Management section. Once complete, are you able to connect to the Windows VM?

If that didn't help, might you be receiving alerts on your alerts table regarding the VPN or supporting processes?


Hi thanks for the response.

I will answer each of those:

Can you successfully establish a connection from the MacOS host to the VPN gateway in terms of the VPN? The macOS host connects to the VPN and can access things on it's end just fine. 

If so, are you seeing the route to the Windows VM subnet installed by the SonicWall VPN in the MacOS routing table? This im not seeing. When the VPN is on the Windows VM immediately loses network connectivity and if you run the network troubleshooter you get it's not getting a valid IP. Turn off the VPN, the VM can connect to the network again and can even run a VPN in the VM fine, but the network doesn't talk back to the macOS.

If that didn't help, might you be receiving alerts on your alerts table regarding the VPN or supporting processes?No alerts or anything are being generated by Cortex, which is odd.

I will copy the profile and turn off firewall management applying it only to this machine and see if it helps.

 

Thank you

Actually looks like we don't even have it enabled


@KTaig wrote:

@gjenkins wrote:

@KTaig wrote:

Hi Everyone, 

 

We are a new customer for Cortex XDR and the network filter seems to be killing our ability to share a connection to our Windows VM's from our macOS host while using our SonicWall VPN. If the VPN is disconnected connection works fine, when Cortex XDR is uninstalled it also works fine, as soon as Cortex is installed the shared connection dies. Any ideas?


Hi @KTaig ,

 

Welcome to the community!

 

Can you successfully establish a connection from the MacOS host to the VPN gateway in terms of the VPN? If so, are you seeing the route to the Windows VM subnet installed by the SonicWall VPN in the MacOS routing table? If those are working appropriately, meaning you have a successful VPN connection and a VPN route to your Windows VM, my recommendation would be to try disabling the Host Firewall Management on the Cortex XDR Agent for your MacOS device. Disabling the Host Firewall Management can be done in Endpoints > Policy Management > Extensions, Profiles > Editing your target MacOS Firewall profile and disabling the Host Firewall Management section. Once complete, are you able to connect to the Windows VM?

If that didn't help, might you be receiving alerts on your alerts table regarding the VPN or supporting processes?


Hi thanks for the response.

I will answer each of those:

Can you successfully establish a connection from the MacOS host to the VPN gateway in terms of the VPN? The macOS host connects to the VPN and can access things on it's end just fine. 

If so, are you seeing the route to the Windows VM subnet installed by the SonicWall VPN in the MacOS routing table? This im not seeing. When the VPN is on the Windows VM immediately loses network connectivity and if you run the network troubleshooter you get it's not getting a valid IP. Turn off the VPN, the VM can connect to the network again and can even run a VPN in the VM fine, but the network doesn't talk back to the macOS.

If that didn't help, might you be receiving alerts on your alerts table regarding the VPN or supporting processes?No alerts or anything are being generated by Cortex, which is odd.

I will copy the profile and turn off firewall management applying it only to this machine and see if it helps.

 

Thank you


Hi @KTaig,

Thank you for answering those questions! Is it possible for you to grab a screenshot of the routing table (in the command line, enter "route print") before and after connecting to the VPN, and also providing the IP addresses of the source and destination devices?  Could you also provide a traceroute to the MacOS endpoint?

What I'm leaning towards is that if the Cortex XDR agent prevents a route from being installed, we may be able to see it in the comparison of the two route tables. So let's see if the route is being installed, and the firewall management is disabled, and take it from there.

--gjenkins

Hey,

 

I didn't have time to get to this today but 1 thing I see that would be an issue getting this information is the routes with the VPN on. The VPN is on the macOS not the Windows VM, as soon as it turns on the network on the VM dies. I don't think it will see any routes because its no longer getting an internet connection at all.


@KTaig wrote:

Hey,

 

I didn't have time to get to this today but 1 thing I see that would be an issue getting this information is the routes with the VPN on. The VPN is on the macOS not the Windows VM, as soon as it turns on the network on the VM dies. I don't think it will see any routes because its no longer getting an internet connection at all.


Hi @KTaig ,

 

If we don't have visibility into the device due to the Internet connection being lost, and there doesn't appear to be anything wrong with your Cortex XDR agent configuration, then I think that the next best step would be to open a ticket with Support. They will request the Support logs and be able to attempt an offline analysis given the logs that you've provided.  Please open a case with them here and upload those logs whenever possible. 

--gjenkins
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!