Hi there,
we are using the Sophos XG for 2 months now and this week-end in the Web filter logs, we have found something really strange.
Web filter denied an IP address from China to surf on another IP address that is not in our network, how is it possible?
For information we have the Sophos XG in bridge mode behind an other Firewall / Router. There's no NATing, we are using the Firewall / IPS / DOS functions only.
Here the found log:
messageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="6" user="" user_group="" web_policy_id="2" web_policy="" category="Portal Sites" category_type="Unproductive" url="http://www.qq.com:443/404/search_children.js" content_type="" override_token="" response_code="" src_ip="106.75.211.42" dst_ip="23.213.15.12" protocol="TCP" src_port="41920" dst_port="443" bytes_sent="0" bytes_received="0" domain="www.qq.com" exception="" activity_name="" reason="" user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="618022784" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"
How we can stop that? I mean that someone can't try to use our system to access an another one.
I don't understand how the web_policy 2 is using the firewall rule id 6, because our firewall rule id 6 has no configured web filter. We are blocking from port 1 [coming from WAN] some countries + a black list group of IP addresses to access some of our web servers on port 2 [DMZ]
Thank you ahead for your hints.
Joel.
This thread was automatically locked due to age.
