This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

InvalidUrl - how to interpret report?

Hello,

In Sophos XG reports, there is a Web Category named "InvalidUrl" which cannot be used in web filtering policy. There's a big number of requests and bytes transferred.

One of the "URLs" is highlighted, it's just a very long string, the second one looks very similar. Port 17472 may be related to Tanium software, and by capturing packets I know there's indeed a communication to this port to my employer's IP. But this "URL" is a mystery, packet capture of DNS didn't catch it so far.

What has actually happened? How to interpret it?

This thread was automatically locked due to age.

Top Replies

FormerMember over 4 years ago +1

Hi MakaanPL , Thank you for reaching out to Sophos Community. Website which don’t have valid URL format will categories in Invalid URL. Could you please try to do DNS lookup manually to one of these…

Parents

0 FormerMember over 4 years ago

Hi MakaanPL,

Thank you for reaching out to Sophos Community.

Website which don’t have valid URL format will categories in Invalid URL.

Could you please try to do DNS lookup manually to one of these URLs? Export this report in csv to get the correct domain.

Do you see any log event in awarrenhttp_access.log with this URL?

It would be great if you can share csv here as well.
Cancel
Vote Up +1 Vote Down

Cancel

Reply

0 FormerMember over 4 years ago

Hi MakaanPL,

Thank you for reaching out to Sophos Community.

Website which don’t have valid URL format will categories in Invalid URL.

Could you please try to do DNS lookup manually to one of these URLs? Export this report in csv to get the correct domain.

Do you see any log event in awarrenhttp_access.log with this URL?

It would be great if you can share csv here as well.
Cancel
Vote Up +1 Vote Down

Cancel

Children

0 MakaanPL over 4 years ago in reply to FormerMember

There isn't any additnional information in CSV export. The "domain" is exactly like on the screenshot, and of course is invalid. Nothing related to this "domain" string found in awarrenhttp_access.log (proxy is not enabled, by the way) as well as firewall log files.

As I mentioned, all logged traffic with destination port 17472 TCP is towards my employer's public IP, sometimes an intranet IP as well (unreachable, caught probably right after disconnecting VPN). The reverse lookup of IP suggests it's Tanium software.

"1.dbfd129333e2c012ee0aed2d4a44e6cab85baada9c9ed72c29f347517783d7622b154d852bb7f9b111bedf72a95d4ecc8e86e424fa17703fc5181d7a998d1.78416c3cea3378c730f53d3d1ef0082500b11bb060b640b3ba8694844b86f023405a5df96f2c83ea3dd461f25674b0c9257a92c77c3df84b4ac19243554c8"
Cancel
Vote Up 0 Vote Down

Cancel
0 MakaanPL over 4 years ago in reply to FormerMember

https://support.tanium.com/s/article/Communication-Breakdown-How-to-Prevent-Firewalls-From-Silently-Disrupting-Your-Tanium-Environment
Cancel
Vote Up 0 Vote Down

Cancel