Datto appliances and firewalls

Topic

This article discusses potential conflicts between Datto BCDR appliances and common firewall devices and steps that can be taken to address them.

Environment

Datto SIRIS
Datto ALTO
Datto NAS

Description

If you are using a firewall device on the same LAN as a Datto appliance, you might have issues with local backups and cloud synchronization. The Datto appliance must have full access to the internet to send backup snapshots to the Datto Cloud.

Many next-generation firewalls and unified threat management (UTM) platforms include threat detection technology which can interrupt or interfere with cloud synchronization. These vary by vendor, but include:

Stateful/Deep Packet Inspection (SPI/DPI)
Intrusion Detection/Prevention Services (IDS/IPS)
SSH inspection

In addition to rules allowing traffic to Datto's cloud server, exceptions or rules for these advanced threat protection technologies must be configured. Configuration steps will vary by vendor.

Firewalls

Some of the more common firewalls are listed below. See each sections for more information on each type..

SonicWALL
Palo Alto
Cisco Meraki
Fortinet

SonicWall

SonicWALL NSA and TZ Devices

SonicWALL NSA and TZ appliances are stateful firewalls, and use threat management software known as Stateful Packet Inspection or Deep Packet Inspection. This software filters out certain network packets based on the identification of possible threatening activity. This can inadvertently prevent cloud synchronization of your backups. Take the following steps to address the issue:

Ensure that netbios traffic is allowed to pass both in and outbound through the SonicWALL. (UDP 137-139)
Disable the security settings that are created by SonicWALL within the Unified Threat Management software platform provided for the device.
Set a custom demilitarized zone (DMZ) for just the Datto device with all security disabled on the SonicWALL. Allow for an open connection should the device fail to have outbound access.
Ensure the Stateful Packet Inspection isnot preventing the Datto device from making outbound connections.
SSH Inspection available on some SonicWall models can interfere with communicating with the Datto device and may need to be disabled in your settings.
If the above solutions have failed, you might have to disable SPI or DPI on your device. See this article from SonicWall: How to disabled DPI and Enabled SPI engine in SonicWALL OS Enhanced (SW11566).

Palo Alto

Vulnerability protection settings on Palo Alto firewalls can interrupt and block synchronization between the Datto backup appliance and cloud server. Take the following steps to address the issue:.

As part of standard pre-configuration, create a vulnerability protection profile per Palo Alto's Change the brute force trigger criteria article, to add IPs for the relevant regional data centers listed in the BCDR networking and bandwidth requirements to your allowlist..
If you experience any problems with cloud sychronization, review the log on your Palo Alto firewall and check to see if threat 40015 "SSH User Authentication Brute-force Attempt" is being identified as a threat and flagged on traffic to the Datto's IPs outlined in BCDR Networking and bandwidth requirements article.
If the steps above have been completed and the device is not syncing,contact Datto Technical Support, reference this article, and document that the steps above have been completed.

See the Additional Resources section of this article for links to additional information on Palo Alto devices.

Cisco Meraki

Intrusion detection and prevention settings on Cisco Meraki firewalls can block cloud synchronization between the Datto backup appliance and cloud server. Take the following steps to address the issue:

On the Cisco Meraki firewall, navigate to Security & SD-WAN > Configure > Threat protection > Intrusion detection and prevention
Set the mode to Detection and use the Balanced or Connectivity ruleset.

If you experience issues, check the firewall logs for ssh_response_buffer_overflow alerts. Adding the allowlist rule (spp_ssh) Challenge-Response Overflow exploit - 128:1 for the Datto device should allow it to sync without lessening overall security.

NOTE On some Cisco-Meraki devices, if MercuryFTP or ISCSI traffic is being sent to the Datto device from an agent on a different subnet, the blocking rule "Peer 2 Peer" may identify datto traffic as "edonkey" and can prevent backup data from transferring.

See the Additional Resources section of this article for links to additional information on Cisco Meraki devices.

Fortinet

A recent software update for Fortinet firewalls forces deep packet inspection on port 22 causing cloud synchronization failure.Take the following steps to address the issue:

Set a rule to allow port 22 through the firewall without packet inspection, or exclude *.datto.com and *.dattobackup.com from deep packet inspection.
You may also need to disable Application Control for the IP of the Datto device.

Contact Fortinet for information on how to make these changes on your specific firewall.

Additional Resources

Palo Alto Networks: How to create a vulnerability exception (external link)
Palo Alto Networks: Change the brute force trigger criteria (external link)
Palo Alto Networks: Brute force signature and related trigger conditions (external link)
Palo Alto Networks: PAN-OS Web Interface Reference (external link)
Cisco Meraki: Threat Protection (external link)

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the ideas forum!
	Provide feedback for the Documentation team.