This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cloud Application "new" blocked and not logged or allowed?

Hi,

I need som help understanding the application control of new apps, please.

Today I had a call from a user who tried to open a URL. The request had been blocked by Webfilter but I do not see a reason for this.

I found out, that the URL had been detected as application "Concur" which is listed as "new".

I would have expected that the block in Webfilter was because of application but application filter log was empty for the user.

The only thing I could find that "Concur" was "new" and now I set it to "unsanctioned". Waiting for the user feedback.

My problem is, I do not understand why the request had been blocked. The default action in the application filter profile is "allowed" and "Concur" is not listed as denied application in the application filter profile. Even if it had been blocked, there should be something logged why.

Block event:

2020-11-25 11:14:01Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="121" user="xxxxxx@xxxxxxxxxxxxxxx.xx" 
user_group="xxxxxxxxxxx" web_policy_id="4" web_policy="" category="General Business" category_type="Acceptable" url="https://www.concursolutions.com/mobile/ConcurMobileRedirect.asp?type=EXP_RPT_LIST&ts=xxxxxxxxxxxxxxxx&token=xxxxxxxxxxxxxxxxxxxxxx&cteDeepUrl=http://eu1.concursolutions.com?hpo%3D22%26cte%xxxxxxxxxxxxxxxxxxxxxxx" 
content_type="" override_token="" response_code="" src_ip="192.168.xxx.xxx" dst_ip="184.30.212.39" protocol="TCP" src_port="55974" dst_port="443" bytes_sent="0" bytes_received="0" 
domain="www.concursolutions.com" exception="" activity_name="UserActivity" reason="" 
user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.67 Safari/537.36 Edg/87.0.664.47" status_code="403" transaction_id="" 
referer="https://www.concursolutions.com/mobile/ConcurMobileRedirect.asp?type=EXP_RPT_LIST&ts=xxxxxxxxx&token=xxxxxxxxxxxxxxxxxxxx&cteDeepUrl=http://eu1.concursolutions.com?hpo%3D22%26cte%xxxxxxxxxxxxxxxxxxxxx" 
download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="613720064" app_name="Concur" app_is_cloud="1" override_name="" override_authorizer="" used_quota="0"

This thread was automatically locked due to age.

Top Replies

Prism over 4 years ago in reply to LHerzog +2

Can you send a picture of the web_policy_id="4" - which is the web policy that's being applied over this user. And also if you can , PM me the full URL that has been blocked. The Picture that you sent…

Parents

0 LHerzog over 4 years ago

I tested around with this and I think, it is not possible to find out what is being blocked if you only have the XG firewall logs unless you see the block message on the client. And now I still only know the symptom, not the reason.

The client browser shows this:

the XG logs show this for the request:

2020-11-25 15:59:46Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="121" user="user@xxxxxxxxx.xx" 
user_group="Admins" web_policy_id="4" web_policy="" category="General Business" category_type="Acceptable" 
url="https://www.concursolutions.com/mobile/ConcurMobileRedirect.asp?type=EXP_RPT_LIST&ts=xxxxxxxxxxxxxxxxxxxx&token=xxxxxxxxxxxxxxxxxxxxx&cteDeepUrl=http://eu1.concursolutions.com?hpo%3D22%26cte%xxxxxxxxxxxxxxxxxxxx" 
content_type="" override_token="" response_code="" src_ip="192.xxx.xxx.xxx" dst_ip="184.30.212.39" protocol="TCP" src_port="51527" dst_port="443" bytes_sent="0" bytes_received="0" 
domain="www.concursolutions.com" exception="" activity_name="UserActivity" reason="" user_agent="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" 
status_code="403" transaction_id="" referer="https://www.concursolutions.com/mobile/ConcurMobileRedirect.asp?type=EXP_RPT_LIST&ts=xxxxxxxxxxxxx&token=xxxxxxxxxxxxxxxxxxxxxxxxxxxx&cteDeepUrl=http://eu1.concursolutions.com?hpo%3D22%26cte%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" 
download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="29655040" app_name="Concur" app_is_cloud="1" override_name="" override_authorizer="" used_quota="0"

No log about the block because of "Executable Files"

How should I analyze and manage this?

Reply

0 LHerzog over 4 years ago

The client browser shows this:

the XG logs show this for the request:

2020-11-25 15:59:46Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="121" user="user@xxxxxxxxx.xx" 
user_group="Admins" web_policy_id="4" web_policy="" category="General Business" category_type="Acceptable" 
url="https://www.concursolutions.com/mobile/ConcurMobileRedirect.asp?type=EXP_RPT_LIST&ts=xxxxxxxxxxxxxxxxxxxx&token=xxxxxxxxxxxxxxxxxxxxx&cteDeepUrl=http://eu1.concursolutions.com?hpo%3D22%26cte%xxxxxxxxxxxxxxxxxxxx" 
content_type="" override_token="" response_code="" src_ip="192.xxx.xxx.xxx" dst_ip="184.30.212.39" protocol="TCP" src_port="51527" dst_port="443" bytes_sent="0" bytes_received="0" 
domain="www.concursolutions.com" exception="" activity_name="UserActivity" reason="" user_agent="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" 
status_code="403" transaction_id="" referer="https://www.concursolutions.com/mobile/ConcurMobileRedirect.asp?type=EXP_RPT_LIST&ts=xxxxxxxxxxxxx&token=xxxxxxxxxxxxxxxxxxxxxxxxxxxx&cteDeepUrl=http://eu1.concursolutions.com?hpo%3D22%26cte%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" 
download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="29655040" app_name="Concur" app_is_cloud="1" override_name="" override_authorizer="" used_quota="0"

No log about the block because of "Executable Files"

How should I analyze and manage this?

Children

0 Prism over 4 years ago in reply to LHerzog

Can you send a picture of the web_policy_id="4" - which is the web policy that's being applied over this user. And also if you can, PM me the full URL that has been blocked.

The Picture that you sent show exactly why It's been blocking; Apparently you blocked the download of "Executable Files" over the Web Policy, but since on the Log it shows that no file at all has being downloaded, then this could be a false positive.

What I think is happening (But I'm not sure since you remove a lot of information of the URL Log.); Is, there is a small ".exe" or ".bat" located in the link somewhere and the Web Policy is detecting it as a download for "Executable File". Or It's something on the MIME headers that's triggering It.

An example of false positive like this is - after creating a web policy that block "Executable Files", then you can type "">google.com/thisdoesntexist.exe on the browser and the DPI Engine will block It anyways, even If It doesn't exist.
Cancel
Vote Up +2 Vote Down

Cancel
0 LHerzog over 4 years ago in reply to Prism

Hi Prism,

thanks for your reply!

This is Web Pol #4 and it's associated User Activity.

I'm thinking this could be because of the .asp extension in the Link URL: concursolutions.com/mobile/ConcurMobileRedirect.asp

I send you the URL. This acually only redirects to a login URL on https://eu1.concursolutions.com/nui/signin?

Thanks!
Cancel
Vote Up 0 Vote Down

Cancel
0 LHerzog over 4 years ago in reply to LHerzog

Thanks Prism for your help. We found out, that there is something in the link that makes the WebProxy think, this is an executable.

@ Can Sophos figure it out?

https://www.concursolutions.com/mobile/ConcurMobileRedirect.asp?type=EXP_RPT_LIST&ts=1606253334263&token=x&cteDeepUrl=http://eu1.concursolutions.com?type-what-you-want-it-is-blocked-as-exe

replace type-what-you-want-it-is-blocked-as-exe with anything you like - it is getting blocked. as executable.

You can do this with google also - so does not depend on the actual webserver:

https://www.google.com/=https://google.com?type-what-you-want-it-is-blocked-as-exe
Cancel
Vote Up +1 Vote Down

Cancel
0 FormerMember over 4 years ago in reply to LHerzog

Hi LHerzog,

Thank you for reporting this, could you please provide the complete URL via PM and firmware version on your firewall?

I will try to replicate this in my LAB and update you accordingly.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 4 years ago in reply to FormerMember

Hi LHerzog,

I can confirm the issue you reported is no longer seen on v18 MR4.

Thanks,
Cancel
Vote Up +1 Vote Down

Cancel
0 LHerzog over 4 years ago in reply to FormerMember

good. So I put in a cross reference here to the other tread that recently came up with a similar issue but in MR4

https://community.sophos.com/xg-firewall/f/discussions/125329/web-proxy-and-url-blocked-as-executable-file
Cancel
Vote Up 0 Vote Down

Cancel