Datto appliances and firewalls
This article discusses potential conflicts between Datto BCDR appliances and common firewall devices and steps that can be taken to address them.
Environment 
- Datto SIRIS
- Datto ALTO
- Datto NAS
Description
If you are using a firewall device on the same LAN as a Datto appliance, you might have issues with local backups and cloud synchronization. The Datto appliance must have full access to the internet to send backup snapshots to the Datto Cloud.
Many next-generation firewalls and unified threat management (UTM) platforms include threat detection technology which can interrupt or interfere with cloud synchronization. These vary by vendor, but include:
- Stateful/Deep Packet Inspection (SPI/DPI)
- Intrusion Detection/Prevention Services (IDS/IPS)
- SSH inspection
In addition to rules allowing traffic to Datto's cloud server, exceptions or rules for these advanced threat protection technologies must be configured. Configuration steps will vary by vendor.
Firewalls
Some of the more common firewalls and settings are listed below.
SonicWall 
SonicWALL NSA and TZ Devices
SonicWALL NSA and TZ appliances are stateful firewalls, and use threat management software known as Stateful Packet Inspection or Deep Packet Inspection. This software filters out certain network packets based on the identification of possible threatening activity. This can inadvertently prevent cloud synchronization of your backups. Take the following steps to address the issue:
- Ensure that netbios traffic is allowed to pass both in and outbound through the SonicWALL. (UDP 137-139)
- Disable the security settings that are created by SonicWALL within the Unified Threat Management software platform provided for the device.
- Set a custom demilitarized zone (DMZ) for just the Datto device with all security disabled on the SonicWALL. Allow for an open connection should the device fail to have outbound access.
- Ensure the Stateful Packet Inspection isnot preventing the Datto device from making outbound connections.
- SSH Inspection available on some SonicWall models can interfere with communicating with the Datto device and may need to be disabled in your settings.
- If the above solutions have failed, you might have to disable SPI or DPI on your device. See this article from SonicWall: How to disabled DPI and Enabled SPI engine in SonicWALL OS Enhanced (SW11566).
Palo Alto Vulnerability protection settings on Palo Alto firewalls can interrupt and block synchronization between the Datto backup appliance and cloud server. Take the following steps to address the issue:.
- As part of standard pre-configuration, create a vulnerability protection profile per Palo Alto's How to create a vulnerability exception(external link) article, to add IPs for the relevant regional data centers listed in the Unified Backup networking and bandwidth requirements to your allowlist.
- If you experience any problems with cloud sychronization, review the log on your Palo Alto firewall and check to see if threat 40015 "SSH User Authentication Brute-force Attempt" is being identified as a threat and flagged on traffic to the Datto's IPs outlined in Unified Backup networking and bandwidth requirements.
- If the steps above have been completed and the device is not syncing,contact Datto Technical Support, reference this article, and document that the steps above have been completed.
Additional Resources
- Palo Alto Networks: How to create a vulnerability exception(external link)
- Palo Alto Networks: Change the brute force trigger criteria (external link)
- Palo Alto Networks: Brute force signature and related trigger conditions(external link)
- Palo Alto Networks: PAN-OS Web Interface Reference(external link)
Cisco Meraki Intrusion detection and prevention settings on Cisco Meraki firewalls can block cloud synchronization between the Datto backup appliance and cloud server. Take the following steps to address the issue:
- On the Cisco Meraki firewall, navigate to Security & SD-WAN > Configure > Threat protection > Intrusion detection and prevention
- Set the mode to Detection and use the Balanced or Connectivity ruleset.
If you experience issues, check the firewall logs for ssh_response_buffer_overflow alerts. Adding the allowlist rule (spp_ssh) Challenge-Response Overflow exploit - 128:1 for the Datto device should allow it to sync without lessening overall security.
NOTE On some Cisco-Meraki devices, if MercuryFTP or ISCSI traffic is being sent to the Datto device from an agent on a different subnet, the blocking rule "Peer 2 Peer" may identify datto traffic as "edonkey" and can prevent backup data from transferring.
Additional Resources
- Cisco Meraki: Threat Protection(external link)
Fortinet Fortinet firewalls forces deep packet inspection on port 22 causing cloud synchronization failure. Take the following steps to address the issue:
- Set a rule to allow port 22 through the firewall without packet inspection, or exclude *.datto.com and *.dattobackup.com from deep packet inspection.
- You may also need to disable Application Control for the IP of the Datto device.
Contact Fortinet for information on how to make these changes on your specific firewall.
UniFi Ubiquiti/UniFi gateways utilize Intrusion Detection and Prevention which can cause issues with the offsite synchornization and remote communication with the Datto device.
Checking the Intrusion Prevention logs can confirm its effect with references to the offsite servers or the Datto device. These logs should be selectable, allowing for filtering exclusion for the specific source and/or destination IP. For each of these, select Exclude Source IP and Exclude Destination IP.
It is recommended to exclude each of the offsite servers associated with the Datto cloud to prevent interruption if the offsite data is ever migrated or offloaded. These ranges are outlined in Unified Backup networking and bandwidth requirements.
Additional Resources
- UniFi Gateway - Intrusion Detection and Prevention (IDS/IPS) (external link)
