Sophos XG SFOS 17.0.6 MR-6
Application Control is blocking FTP access. In the GUI (Log Viewer) I can't find a log entry. On the console with drop-packet-capture I can see a dropped packet.
Initiater is 1.2.3.4 and it looks like it's the response from 111.222.333.444 which gets blocked. As soon as I switch of application control on the policy FTP is working. The output is showing "app_id=202". How can I find the corresponding application? Or am I on the wrong path?
2018-06-20 08:20:29 0544021 IP 111.222.333.444.21 > 1.2.3.4.49550 : proto TCP: P 1167539557:1167539595(38) win 256 checksum : 42440
0x0000: 4500 004e 6805 4000 7a06 26c1 c2f6 764d E..Nh.@.z.&...vM
0x0010: ac1c 1e6f 0015 c18e 4597 3d65 64c5 7843 ...o....E.=ed.xC
0x0020: 5018 0100 a5c8 0000 3232 3020 5365 7276 P.......220.Serv
0x0030: 2d55 2046 5450 2053 6572 7665 7220 7631 -U.FTP.Server.v1
0x0040: 352e 3120 7265 6164 792e 2e2e 0d0a 5.1.ready.....
Date=2018-06-20 Time=08:20:29 log_id=0544021 log_type=Content_Filter log_component=Application_Filter log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2.100 out_dev= inzone_id=9 outzone_id=0 source_mac=e4:48:c7:7f:66:1d dest_mac=00:e0:20:11:08:fc l3_protocol=IP source_ip=111.222.333.444 dest_ip=1.2.3.4 l4_protocol=TCP source_port=21 dest_port=49550 fw_rule_id=52 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=2 sslvpn_id=0 web_filter_id=13 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=8 app_category_id=1 app_id=202 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=255 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=4719625 connid=2235063616 masterid=2235058624 status=398 state=3 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
Thanks a lot
Chris
This thread was automatically locked due to age.
