Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 28 subscribers
  • Views 1523 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG 210 - The Web filter is showing 2 IP addresses src and dst that aren't part of our network

JoelTimm

Hi there,

we are using the Sophos XG for 2 months now and this week-end in the Web filter logs, we have found something really strange.

Web filter denied an IP address from China to surf on another IP address that is not in our network, how is it possible? 

For information we have the Sophos XG  in bridge mode behind an other Firewall / Router. There's no NATing, we are using the Firewall / IPS / DOS functions only.

Here the found log:

messageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="6" user="" user_group="" web_policy_id="2" web_policy="" category="Portal Sites" category_type="Unproductive" url="http://www.qq.com:443/404/search_children.js" content_type="" override_token="" response_code="" src_ip="106.75.211.42" dst_ip="23.213.15.12" protocol="TCP" src_port="41920" dst_port="443" bytes_sent="0" bytes_received="0" domain="www.qq.com" exception="" activity_name="" reason="" user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="618022784" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

How we can stop that? I mean that someone can't try to use our system to access an another one. 

I don't understand how the web_policy 2 is using the firewall rule id 6, because our firewall rule id 6 has no configured web filter. We are blocking from port 1 [coming from WAN] some countries + a black list group of IP addresses to access some of our web servers on port 2 [DMZ]

Thank you ahead for your hints.

Joel.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to JoelTimm

    Hi,

    thank you. A suggestion, change the https to any.

    also change the rule to a black hole eg sends to a dead end. For details please review the information in the post at the top right handside of the hOne page for these forums.

    ian

  • 0 in reply to JoelTimm

    ok, first i don't know why the rule matches ...
    the traffic is http (no https) from wan to wan.
    the rule should match for traffic HTTPS form WAN to LAN.

    But why do you see WAN/WAN traffic?
    Do you allow Web-Proxy access for the WAN-Zone?
    Check system/administration / device access / Local service ACL

    Check assigned Zones for WAN Interfaces too.

     

  • 0 in reply to dirkkotte

    Hi Dirk,

    maybe because the https port is used in the url (443) 
    www.qq.com:443

    the WAN / LAN are bridged because I'm using the sophos xg as a transparent man in the middle.
    The right description for us would be DMZ / DMZ with Port 1 in direction WAN and Port 2 in direction LAN.

    I found a rule  that had let the packets through without any control and now the problem is solved.

    We aren't really using the web proxy, but it seems to be impossible to disable completely the web proxy in the xg.

    Regards,

    Joel.

  • 0 in reply to JoelTimm

    Hi Joel,

    you disable the web proxy by not ticking the web proxy box and having NONE in the web field.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    I have no rule that use the web proxy. I've double check that.

    There's 2 rules that are showing the "web" on the right side, but when I'm opening these, I've neither option about a web proxy box nor a web field.

     

    But my rules now are working correctly together.

    Regards.