Commtouch IP addresses being blocked by XG

Hi,

why would commtouch be trying to connect to your XG on port 80?

Ina

Hi,

I have multiple connections from the US and UK from Commtouch servers logged on XG, all failing.

That is my precise question!

Thanks

Antonio

Hi,

i think, its caused by the stateful firewall and not an issue at all.

https://community.sophos.com/kb/en-us/131754

UTMs get their live lookups with Port 80 to Commtouch. And after a while, the server will try to reset the old connection.

Cheers

Hi,

i think, its caused by the stateful firewall and not an issue at all.

https://community.sophos.com/kb/en-us/131754

UTMs get their live lookups with Port 80 to Commtouch. And after a while, the server will try to reset the old connection.

Cheers

Hi,

So Sophos uses Commtouch for services...

Our system is constantly receiving "pings" from several Commtouch servers directed to the ports above 2000.

Have you found any indication on Sophos docs about their partners?

My main concern, after your post, is if our data is going outside europe.

We are bound to GDPR, as we're in Europe.

I will look into it.

Thanks!

Antonio Soares

Commtouch should only  be doing updates incoming if your XG initiates the connection. The issue seems to be that your XG or data service is dropping the connection and the Commtouch server is still sending the requested files.

Ian

Hi,

i was talking about the Sophos UTM.

Thought you are using something behind the XG like Sophos UTM?

Note – The list of RBLs queried by Sophos UTM is subject to change without notice. Sophos does not warrant for the contents of these databases.

Cheers

Thanks.

I will investigate further.

We have other companies with XGs. Going to check them out.

BR

Indeed the failed attempts are detected on the XG and directed to XG.

Hi,

to be clear: Can you please post the logviewer ? 

I think, something behind the XG is start this dialog. 

Hi,

here you have. My IP has been masked.

This is a small portion.

Time,Log Comp,Action,Username,Firewall Rule,In Interface ,Out Interface ,Source IP,Destination IP,Source Port,Destination Port,Protocol,Rule Type,Message ID,Live PCAP,Message,
2018-03-11 00:48:33,Invalid Traffic ,Denied,,0,,,216.163.176.36,x.x.x.x,80,16882,TCP,0,01001,Open PCAP,Invalid TCP state.,
2018-03-11 00:48:32,Invalid Traffic ,Denied,,0,,,x.x.x.x,84.39.152.32,26986,80,TCP,0,01001,Open PCAP,Invalid TCP state.,
2018-03-11 00:48:32,Invalid Traffic ,Denied,,0,,,84.39.152.32,x.x.x.x,80,26986,TCP,0,01001,Open PCAP,Invalid TCP state.,
2018-03-11 00:48:32,Invalid Traffic ,Denied,,0,,,x.x.x.x,84.39.153.32,19919,80,TCP,0,01001,Open PCAP,Invalid TCP state.,
2018-03-11 00:48:32,Invalid Traffic ,Denied,,0,,,84.39.153.32,x.x.x.x,80,19919,TCP,0,01001,Open PCAP,Invalid TCP state.,
2018-03-11 00:48:30,Invalid Traffic ,Denied,,0,,,x.x.x.x,216.163.188.34,23604,80,TCP,0,01001,Open PCAP,Could not associate packet to any connection.,
2018-03-11 00:48:30,Invalid Traffic ,Denied,,0,,,x.x.x.x,38.113.116.214,32342,80,TCP,0,01001,Open PCAP,Could not associate packet to any connection.,
2018-03-11 00:48:30,Invalid Traffic ,Denied,,0,,,x.x.x.x,216.163.188.34,23615,80,TCP,0,01001,Open PCAP,Invalid TCP state.,
2018-03-11 00:48:29,Invalid Traffic ,Denied,,0,,,216.163.188.34,x.x.x.x,80,23615,TCP,0,01001,Open PCAP,Invalid TCP state.,
2018-03-11 00:48:29,Invalid Traffic ,Denied,,0,,,x.x.x.x,216.163.176.36,16871,80,TCP,0,01001,Open PCAP,Could not associate packet to any connection.,

Regards

Hi All

I have same problem show error and block 80/443 connections.

Regards

Hi,

Please perform a tcpdump.

I think, there is something, which tries to reach the commtouch server. Try

tcpdump -ni any host  216.163.188.34 or host 38.113.116.214