This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to find IPS Log / Identify IPS Policy blocking traffic

Stefan Prokopf over 6 years ago

After installing Sophos Origin does not work anymore.

I added ea.com and origin.com to the web exceptions - this did work for a few days.

Now again the beginning of the downloads are blocked.

From testing I know an IPS Policy blocks the process(If i set IPS at Firewall rule to none downloads are starting).

I took a drop-packet-capture(see blelow) - but I have problems to proceed further.

I have 2 questions:

1. How can I open IPS logs to identify the IPS patterns which are matching so that I could add an exception?

2. How do I identify in the below log that an IPS rule did block the traffic?

Thanks,

Stefan

console> drop-packet-capture 'host 192.168.13.100'
2018-11-26 22:20:21 0139021 IP 192.168.13.100.59454 > 8.247.242.126.80 : proto T
CP: P 1855563494:1855564306(812) win 229 checksum : 53415
0x0000: 4500 0354 fcd7 4000 4006 7049 c0a8 0d64 E..T..@.@.pI...d
0x0010: 08f7 f27e e83e 0050 6e99 a6e6 586d 8b13 ...~.>.Pn...Xm..
0x0020: 5018 00e5 d0a7 0000 4745 5420 2f65 616d P.......GET./eam
0x0030: 6173 7465 722f 732f 7368 6966 742f 6372 aster/s/shift/cr
0x0040: 7974 656b 2f63 7279 7369 735f 332f 6667 ytek/crysis_3/fg
0x0050: 5f5f 7777 2f63 7279 7369 735f 3370 6366 __ww/crysis_3pcf
0x0060: 675f 5f77 7772 756e 5f31 5f5f 6f72 6967 g__wwrun_1__orig
0x0070: 696e 5f5f 6964 6a69 745f 6461 7461 5f73 in__idjit_data_s
0x0080: 746f 7265 3739 3938 3837 6337 3262 3966 tore799887c72b9f
0x0090: 3433 6631 6231 3633 3066 3564 3339 3036 43f1b1630f5d3906
0x00a0: 6163 6438 2e7a 6970 3f6e 7661 3d32 3031 acd8.zip?nva=201
0x00b0: 3831 3132 3632 3132 3532 3126 746f 6b65 81126212521&toke
0x00c0: 6e3d 3061 3539 3633 3535 3030 3234 3635 n=0a596355002465
0x00d0: 3334 3337 3433 3220 4854 5450 2f31 2e31 3437432.HTTP/1.1
0x00e0: 0d0a 4361 6368 652d 436f 6e74 726f 6c3a ..Cache-Control:
0x00f0: 206e 6f2d 6361 6368 650d 0a50 7261 676d .no-cache..Pragm
0x0100: 613a 206e 6f2d 6361 6368 650d 0a52 616e a:.no-cache..Ran
0x0110: 6765 3a20 6279 7465 733d 3135 3131 3134 ge:.bytes=151114
0x0120: 3331 3133 312d 3135 3131 3134 3339 3332 31131-1511143932
0x0130: 320d 0a48 6f73 743a 206c 766c 742e 6364 2..Host:.lvlt.cd
0x0140: 6e2e 6561 2e63 6f6d 0d0a 5573 6572 2d41 n.ea.com..User-A
0x0150: 6765 6e74 3a20 4d6f 7a69 6c6c 612f 352e gent:.Mozilla/5.
0x0160: 3020 4541 2044 6f77 6e6c 6f61 6420 4d61 0.EA.Download.Ma
0x0170: 6e61 6765 7220 4f72 6967 696e 2f31 302e nager.Origin/10.
0x0180: 352e 3330 2e31 3536 3235 0d0a 582d 4f72 5.30.15625..X-Or
0x0190: 6967 696e 2d55 4944 3a20 3131 3636 3834 igin-UID:.116684
0x01a0: 3832 3939 3133 3738 3734 3932 3037 0d0a 82991378749207..
0x01b0: 582d 4f72 6967 696e 2d50 6c61 7466 6f72 X-Origin-Platfor
0x01c0: 6d3a 2050 4357 494e 0d0a 6c6f 6361 6c65 m:.PCWIN..locale
0x01d0: 496e 666f 3a20 6465 5f44 450d 0a41 6363 Info:.de_DE..Acc
0x01e0: 6570 742d 4c61 6e67 7561 6765 3a20 6465 ept-Language:.de
0x01f0: 2d44 450d 0a43 6f6f 6b69 653a 205f 6761 -DE..Cookie:._ga
0x0200: 3d47 4131 2e32 2e31 3839 3837 3635 3138 =GA1.2.189876518
0x0210: 322e 3135 3433 3236 3335 3036 3b20 5f67 2.1543263506;._g
0x0220: 6964 3d47 4131 2e32 2e31 3533 3736 3536 id=GA1.2.1537656
0x0230: 3535 382e 3135 3433 3236 3335 3036 3b20 558.1543263506;.
0x0240: 7574 6167 5f6d 6169 6e3d 765f 6964 3a30 utag_main=v_id:0
0x0250: 3136 3735 3161 6334 6431 3630 3031 3465 16751ac4d160014e
0x0260: 3363 3730 3836 3064 3535 3930 3030 6139 3c70860d559000a9
0x0270: 3031 3565 3061 3130 3133 3330 245f 736e 015e0a101330$_sn
0x0280: 3a31 245f 7373 3a31 245f 7374 3a31 3534 :1$_ss:1$_st:154
0x0290: 3332 3635 3330 3536 3838 2473 6573 5f69 3265305688$ses_i
0x02a0: 643a 3135 3433 3236 3335 3035 3638 3825 d:1543263505688%
0x02b0: 3342 6578 702d 7365 7373 696f 6e24 5f70 3Bexp-session$_p
0x02c0: 6e3a 3125 3342 6578 702d 7365 7373 696f n:1%3Bexp-sessio
0x02d0: 6e3b 205f 6e78 5f6d 7063 6964 3d31 3832 n;._nx_mpcid=182
0x02e0: 3736 3837 3839 3033 3539 3633 3533 3936 7687890359635396
0x02f0: 360d 0a41 6363 6570 742d 456e 636f 6469 6..Accept-Encodi
0x0300: 6e67 3a20 677a 6970 2c20 6465 666c 6174 ng:.gzip,.deflat
0x0310: 650d 0a56 6961 3a20 4854 5450 2f31 2e31 e..Via:.HTTP/1.1
0x0320: 2066 6f72 7761 7264 2e68 7474 702e 7072 .forward.http.pr
0x0330: 6f78 793a 3331 3238 0d0a 436f 6e6e 6563 oxy:3128..Connec
0x0340: 7469 6f6e 3a20 6b65 6570 2d61 6c69 7665 tion:.keep-alive
0x0350: 0d0a 0d0a                                ....
Date=2018-11-26 Time=22:20:21 log_id=0139021 log_type=Firewall log_component= lo
g_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=
Port2 inzone_id=1 outzone_id=0 source_mac= dest_mac= l3_protocol=IP source_ip=19
2.168.13.100 dest_ip=8.247.242.126 l4_protocol=TCP source_port=59454 dest_port=8
0 fw_rule_id=1 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=3 sslvpn_id=
0 web_filter_id=12 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 p
roxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=3 app_id=6 category_id=22
bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=1 cluster_node=0 inmark=
0x0 nfqueue=253 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=1 ctfl
ags=526601 connid=3946581440 masterid=3946578240 status=398 state=3 sent_pkts=N/
A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A
tran_dst_ip=N/A tran_dst_port=N/A

This thread was automatically locked due to age.

Parents

0 FloSupport over 6 years ago

Hi Stefan,

Are you able to observe any relevant IPS log entries in the log viewer on your Web Admin GUI while you are trying to download?

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 Stefan Prokopf over 6 years ago in reply to FloSupport

Thanks for your help. I found the IPS log - i missed before the link to logfile guide at this document...

I made a trace for the ips log (tail log/ips.log -f) - but there are no entries written during the download fails.

I just double checked again - if I change short for testing the firewal rule under Advanced / User Applications / Intrusion Prevention from lantowan_general to none the download process is starting. If I enable again the download process does not start.

Login is also enabled for the firewall rule.

Are there other logfiles related with this setting I can check?
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 6 years ago in reply to Stefan Prokopf

Hey Stefan Prokopf

Interesting, would it be possible to enable the support access ID on your appliance (please PM me with your ID) so that I can investigate your firewall rule configuration further?

Thanks!
Cancel
Vote Up 0 Vote Down

Cancel
0 Stefan Prokopf over 6 years ago in reply to FloSupport

Sure - I'm happy about :)

I enabled the access - you also can call me if than makes life easier for you !

ID: 27804be8-0921-3ab1-b8d8-0ac8c1073368
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Stefan Prokopf over 6 years ago in reply to FloSupport

Sure - I'm happy about :)

I enabled the access - you also can call me if than makes life easier for you !

ID: 27804be8-0921-3ab1-b8d8-0ac8c1073368
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Stefan Prokopf over 6 years ago in reply to Stefan Prokopf

I did further testing.

1. If I use the Policy LAN-TO-WAN the downloads are working

2. It may be no great help in finding the reason, but the blocking happens only to particular games in origin.

The blocking seems also to start before the download happens - origin doesn't finish the preparing of the download.

Games working: Unreavel, Peggle

Games failing: Fifa 17, Crysis 3

drop-packet-capture for Fifa17 - the above one was for Crysis 3

2018-11-28 18:10:41 0139021 IP 192.168.13.100.61750 > 8.247.241.126.80 : proto TCP: P 1740454211:1740455073(862) win 229 checksum : 55395
0x0000: 4500 0386 5a12 4000 4006 13dd c0a8 0d64 E...Z.@.@......d
0x0010: 08f7 f17e f136 0050 67bd 3943 0454 bab4 ...~.6.Pg.9C.T..
0x0020: 5018 00e5 d863 0000 4745 5420 2f65 616d P....c..GET./eam
0x0030: 6173 7465 722f 732f 7368 6966 742f 6669 aster/s/shift/fi
0x0040: 6661 2f66 6966 615f 3137 5f67 342f 7061 fa/fifa_17_g4/pa
0x0050: 7463 685f 5f77 775f 7830 5f77 775f 7061 tch__ww_x0_ww_pa
0x0060: 7463 6831 312f 6669 6661 5f31 375f 6734 tch11/fifa_17_g4
0x0070: 7063 7061 7463 685f 5f77 775f 7830 5f77 pcpatch__ww_x0_w
0x0080: 775f 7061 7463 6831 3163 6f6e 6365 7074 w_patch11concept
0x0090: 5f31 5f5f 6465 6e75 766f 5f5f 7265 7461 _1__denuvo__reta
0x00a0: 696c 5f5f 6469 6769 7461 6c5f 5f77 775f il__digital__ww_
0x00b0: 3331 3735 3933 3963 3763 3535 3338 3037 3175939c7c553807
0x00c0: 3135 3234 6431 3061 3034 3936 3462 6363 1524d10a04964bcc
0x00d0: 6133 3339 3534 642e 7a69 703f 6e76 613d a33954d.zip?nva=
0x00e0: 3230 3138 3131 3238 3137 3134 3338 2674 20181128171438&t
0x00f0: 6f6b 656e 3d30 6265 3766 3962 6132 6436 oken=0be7f9ba2d6
0x0100: 6335 3133 3433 3762 6632 2048 5454 502f c513437bf2.HTTP/
0x0110: 312e 310d 0a43 6163 6865 2d43 6f6e 7472 1.1..Cache-Contr
0x0120: 6f6c 3a20 6e6f 2d63 6163 6865 0d0a 5072 ol:.no-cache..Pr
0x0130: 6167 6d61 3a20 6e6f 2d63 6163 6865 0d0a agma:.no-cache..
0x0140: 5261 6e67 653a 2062 7974 6573 3d34 3331 Range:.bytes=431
0x0150: 3135 3037 3636 3231 2d34 3331 3135 3038 15076621-4311508
0x0160: 3438 3132 0d0a 486f 7374 3a20 6c76 6c74 4812..Host:.lvlt
0x0170: 2e63 646e 2e65 612e 636f 6d0d 0a55 7365 .cdn.ea.com..Use
0x0180: 722d 4167 656e 743a 204d 6f7a 696c 6c61 r-Agent:.Mozilla
0x0190: 2f35 2e30 2045 4120 446f 776e 6c6f 6164 /5.0.EA.Download
0x01a0: 204d 616e 6167 6572 204f 7269 6769 6e2f .Manager.Origin/
0x01b0: 3130 2e35 2e33 302e 3135 3632 350d 0a58 10.5.30.15625..X
0x01c0: 2d4f 7269 6769 6e2d 5549 443a 2031 3136 -Origin-UID:.116
0x01d0: 3638 3438 3239 3931 3337 3837 3439 3230 6848299137874920
0x01e0: 370d 0a58 2d4f 7269 6769 6e2d 506c 6174 7..X-Origin-Plat
0x01f0: 666f 726d 3a20 5043 5749 4e0d 0a6c 6f63 form:.PCWIN..loc
0x0200: 616c 6549 6e66 6f3a 2064 655f 4445 0d0a aleInfo:.de_DE..
0x0210: 4163 6365 7074 2d4c 616e 6775 6167 653a Accept-Language:
0x0220: 2064 652d 4445 0d0a 436f 6f6b 6965 3a20 .de-DE..Cookie:.
0x0230: 5f67 613d 4741 312e 322e 3532 3436 3331 _ga=GA1.2.524631
0x0240: 3231 362e 3135 3433 3432 3439 3131 3b20 216.1543424911;.
0x0250: 5f67 6964 3d47 4131 2e32 2e31 3236 3437 _gid=GA1.2.12647
0x0260: 3035 3433 312e 3135 3433 3432 3439 3131 05431.1543424911
0x0270: 3b20 7574 6167 5f6d 6169 6e3d 765f 6964 ;.utag_main=v_id
0x0280: 3a30 3136 3735 6234 6232 3661 3630 3031 :01675b4b26a6001
0x0290: 3565 3866 3263 6236 3238 6232 3030 3030 5e8f2cb628b20000
0x02a0: 6139 3031 3566 3061 3130 3133 3330 245f a9015f0a101330$_
0x02b0: 736e 3a31 245f 7373 3a31 245f 7374 3a31 sn:1$_ss:1$_st:1
0x02c0: 3534 3334 3236 3731 3130 3136 2473 6573 543426711016$ses
0x02d0: 5f69 643a 3135 3433 3432 3439 3131 3031 _id:154342491101
0x02e0: 3625 3342 6578 702d 7365 7373 696f 6e24 6%3Bexp-session$
0x02f0: 5f70 6e3a 3125 3342 6578 702d 7365 7373 _pn:1%3Bexp-sess
0x0300: 696f 6e3b 205f 6e78 5f6d 7063 6964 3d31 ion;._nx_mpcid=1
0x0310: 3832 3736 3837 3839 3033 3539 3633 3533 8276878903596353
0x0320: 3936 360d 0a41 6363 6570 742d 456e 636f 966..Accept-Enco
0x0330: 6469 6e67 3a20 677a 6970 2c20 6465 666c ding:.gzip,.defl
0x0340: 6174 650d 0a56 6961 3a20 4854 5450 2f31 ate..Via:.HTTP/1
0x0350: 2e31 2066 6f72 7761 7264 2e68 7474 702e .1.forward.http.
0x0360: 7072 6f78 793a 3331 3238 0d0a 436f 6e6e proxy:3128..Conn
0x0370: 6563 7469 6f6e 3a20 6b65 6570 2d61 6c69 ection:.keep-ali
0x0380: 7665 0d0a 0d0a ve....
Date=2018-11-28 Time=18:10:41 log_id=0139021 log_type=Firewall log_component= log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port2 inzone_id=1 outzone_id=0 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.13.100 dest_ip=8.247.241.126 l4_protocol=TCP source_port=61750 dest_port=80 fw_rule_id=1 policytype=1 live_userid=0 userid=0 user_gp=0 ips_id=2 sslvpn_id=0 web_filter_id=12 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=3 app_id=6 category_id=22 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=253 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=1 ctflags=526601 connid=3164494656 masterid=3166430144 status=398 state=3 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
Cancel
Vote Up 0 Vote Down

Cancel
0 Stefan Prokopf over 6 years ago in reply to Stefan Prokopf

By using a custom test set I could isolate the issue to the subset of 933 ISP Policies:

Target: Server

Platform: Windows

Severity: Critical

At the end I protect with that firewal only my own network without servers - so I now i could have workaround.

But I would appreciate if we could drag down this behavior to some logfile with the info why this happens.

Its a bad feeling if a product I sell and administrate does things I cant understand or explain.
Cancel
Vote Up 0 Vote Down

Cancel
0 Stefan Prokopf over 6 years ago in reply to Stefan Prokopf

I also isolated the Application: Microsoft IIS web Server
Cancel
Vote Up 0 Vote Down

Cancel