Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 21 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 2597 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to log Drops from advanced-firewall checks

AndreasHämmerle

Hello,

We have a clients-server based application, where the server is in a different vlan as the clients.

The communication between both vlans is routed via SophosXG VLAN Interfaces. (XG430 / 18.5MR1)

The GUI firewall rules are configured to allow everything for both vlan-networks in each direction.

However, this client-server based application doesn't work with this setup.

Only way to get the application working as expected is to set advanced-firewall bypass via CLI

I assume that the application is not working 100% RFC conform and for example the XG tcp-seq-checking drops the packege.

My problem is, I cant see any dropped packeg in any log on XG firewall.

I need to know exactly why the firewall is dropping that traffic in order to contact the application vendors if something is not RFC compliant at application side.

Can you please tell me how to log such kind of drops from the advanced-firewall checks.

Thank you for help!



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    using logviewer refine your search to the server's IP address to see where the traffic might be  going?

    Ian

  • 0 in reply to rfcat_vk

    I already filtered the GUI LogViewer for source/destination and cant see any problem relaited logs entries.

    No invalid traffic or something like that.

    I tried to enable all Log-Options in SystemServices -> LogSettings -> Local Reporting but still no log entry while reproducting the problem.

  • 0 in reply to LuCar Toni

    I reproduced the failure while bypass and ips settings are removed from console.

    XG430_WP02_SFOS 18.5.1 MR-1-Build326# conntrack -E | grep 8080
...
    [NEW] proto=tcp      proto-no=6 timeout=120 state=SYN_SENT orig-src=172.17.2.11 orig-dst=172.17.1.11 orig-sport=60022 orig-dport=8080 [UNREPLIED] reply-src=172.17.1.11 reply-dst=172.17.2.11 reply-sport=8080 reply-dport=60022 id=4148903936 masterid=0 devin=LAG_DSW.102 devout=LAG_DSW.101 nseid=16784848 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=6 natid=0 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0x1 sigoffload=0 inzone=12 outzone=11 devinindex=27 devoutindex=26 hb_src=0 hb_dst=0 flags0=0xa0000200020 flags1=0x10000800000 flagvalues=5,21,41,43,87,104 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:01:02 src_mac=00:50:56:bd:d9:6a startstamp=1636363431 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=26 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=13661 current_state[1]=0 vlan_id=0 inmark=0x0 brinindex=0 sessionid=28523 sessionidrev=23757 session_update_rev=2 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
 [UPDATE] proto=tcp      proto-no=6 timeout=60 state=SYN_RECV orig-src=172.17.2.11 orig-dst=172.17.1.11 orig-sport=60022 orig-dport=8080 reply-src=172.17.1.11 reply-dst=172.17.2.11 reply-sport=8080 reply-dport=60022 id=4148903936 masterid=0 devin=LAG_DSW.102 devout=LAG_DSW.101 nseid=16784848 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=6 natid=0 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0x1 sigoffload=0 inzone=12 outzone=11 devinindex=27 devoutindex=26 hb_src=0 hb_dst=0 flags0=0xa0000200020 flags1=0x10000800000 flagvalues=5,21,41,43,87,104 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:01:02 src_mac=00:50:56:bd:d9:6a startstamp=1636363431 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=26 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=13661 current_state[1]=13661 vlan_id=0 inmark=0x0 brinindex=0 sessionid=28523 sessionidrev=23757 session_update_rev=2 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
 [UPDATE] proto=tcp      proto-no=6 timeout=10800 state=ESTABLISHED orig-src=172.17.2.11 orig-dst=172.17.1.11 orig-sport=60022 orig-dport=8080 reply-src=172.17.1.11 reply-dst=172.17.2.11 reply-sport=8080 reply-dport=60022 [ASSURED] id=4148903936 masterid=0 devin=LAG_DSW.102 devout=LAG_DSW.101 nseid=16784848 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=6 natid=0 fw_action=1 bwid=0 appid=0 appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0x1 sigoffload=0 inzone=12 outzone=11 devinindex=27 devoutindex=26 hb_src=0 hb_dst=0 flags0=0xa0000200020 flags1=0x10000800000 flagvalues=5,21,41,43,87,104 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:01:02 src_mac=00:50:56:bd:d9:6a startstamp=1636363431 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=26 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=13661 current_state[1]=13661 vlan_id=0 inmark=0x0 brinindex=0 sessionid=28523 sessionidrev=23757 session_update_rev=2 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
 [UPDATE] proto=tcp      proto-no=6 timeout=10 state=CLOSE orig-src=172.17.2.11 orig-dst=172.17.1.11 orig-sport=60022 orig-dport=8080 reply-src=172.17.1.11 reply-dst=172.17.2.11 reply-sport=8080 reply-dport=60022 [ASSURED] id=4148903936 masterid=0 devin=LAG_DSW.102 devout=LAG_DSW.101 nseid=16784848 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=6 natid=0 fw_action=1 bwid=0 appid=6 appcatid=3 hbappid=10162 hbappcatid=0 dpioffload=0x5 sigoffload=0 inzone=12 outzone=11 devinindex=27 devoutindex=26 hb_src=0 hb_dst=0 flags0=0xa0000200020 flags1=0x10000810000 flagvalues=5,21,41,43,80,87,104 catid=0 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:01:02 src_mac=00:50:56:bd:d9:6a startstamp=1636363431 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=26 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=13661 current_state[1]=13661 vlan_id=0 inmark=0x0 brinindex=0 sessionid=28523 sessionidrev=23757 session_update_rev=6 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
[DESTROY] proto=tcp      proto-no=6 orig-src=172.17.2.11 orig-dst=172.17.1.11 orig-sport=59969 orig-dport=8080 packets=178 bytes=110323 reply-src=172.17.1.11 reply-dst=172.17.2.11 reply-sport=8080 reply-dport=59969 packets=385 bytes=375427 [ASSURED] id=3527022848 masterid=0 devin=LAG_DSW.102 devout=LAG_DSW.101 nseid=16784440 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=6 natid=0 fw_action=1 bwid=0 appid=10162 appcatid=0 hbappid=10162 hbappcatid=0 dpioffload=0x7 sigoffload=0 inzone=12 outzone=11 devinindex=27 devoutindex=26 hb_src=0 hb_dst=0 flags0=0x20000a0000200020 flags1=0x10004810000 flagvalues=5,21,41,43,61,80,87,90,104 catid=1022 user=0 luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=c8:4f:86:fc:01:02 src_mac=00:50:56:bd:d9:6a startstamp=1636363404 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=26 tlsruleid=0 ips_nfqueue=2 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=13661 current_state[1]=13661 vlan_id=0 inmark=0x0 brinindex=0 sessionid=7409 sessionidrev=32269 session_update_rev=12 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid_dir0=0 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0 nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED
...

(I deleted unnecessary lines)

    I can not see any proxy redirections in that conntrack logs.

    On the Firewall Rule there is no Web enabled.

  • 0 in reply to AndreasHämmerle

    With all the tests we have done so far, for me it looks like that this ATP/AC module is dropping the traffic because once i create "set ips ac_atp exception fwrules 6" everything works fine.

    Can you confirm this? If not can you please explain why you think we should search the problem on an other place like asymmetrical routing issues because I dont understand this at the moment.

    Do you know if it is possible to log this drops from ATP/AC module or if these kind of drops are silent?

  • 0 in reply to AndreasHämmerle

    Do you have micro app enabled? 

    console> system application_classification show
    On
    console> system application_classification microapp-discovery
    off on show
    console> system application_classification microapp-discovery show
    off

  • 0 in reply to LuCar Toni

    No this is not enabled:

    console> system application_classification show
    On

    console> system application_classification microapp-discovery show
    off

  • 0 in reply to AndreasHämmerle

    Sorry to bother you again.

    Could you please answer me the question, if there is any possibility to log this drops from ATP/AC module or if these kind of drops are silent?

  • 0 in reply to AndreasHämmerle

    Its the atp.log or drop packet capture. If there are no drops, this is not dropped. 

  • 0 in reply to LuCar Toni

    where can I find atp.log?

    There is no atp.log in /log Folder

    XG430_WP02_SFOS 18.5.1 MR-1-Build326# cd /log/
XG430_WP02_SFOS 18.5.1 MR-1-Build326# ls
VPN.log                     catUpdateLog                dnsd.log                    garner.log                  migration.log               readobject.log              red-R20002F2VQCJR37.log     smtpd_panic.log             up2date_av.log
WINGc.log                   centralmanagement.log       dnsgrabber.log              garner.log.0                migrationhash.log           red                         red-R20002MHTCCCR28.log     snireport.log               validation.log
WINGc.log.0                 centralmanagement.log.0     dnsgrabber.log.0            ha_pair.log                 mrouting.log                red-A35019622135F65.log     red.log                     snmpd.log                   validationError.log
access_server.log           charon.log                  dropbear.log                ha_tunnel.log               msync.log                   red-A350199D5868BE5.log     redis                       sophos-central.log          validationError.log.0
apache.log                  charon.log.0                eacd.log                    hbtrust.log                 msync.log.0                 red-A3501B9B893500C.log     reportdb.log                sshd.log                    vhost.log
apache_access.log           chromebook-sso-backend.log  entity.log                  hbtrust.log.0               nSXLd                       red-A3501D2BEF22F74.log     reportmigration.log         sslvpn.log                  vpncertificate.log
apache_access.log.0         clientless_access.log       error_log.log               heartbeatd.log              nSXLd.log                   red-A3501DA8C271A54.log     reverseproxy.log            ssod.log                    warren.log
apiparser.log               confdbstatus.log            exim_mail_client.log        hostapd.log                 nasm.log                    red-A3501E4B83A55E1.log     reverseproxy.log.0          strongswan-monitor.log      wc_remote.log
app-feedback.log            crreportdb.log              firewall_rule.log           hotspotd.log                nat_rule.log                red-A3501E58921CF3D.log     ripd.log                    strongswan.log              webproxy.log
appcached.log               csc.log                     fqdnd.log                   httplogd.log                networkd.log                red-A3501E77570D8E8.log     sac-feedback.log            strongswan.log.0            wifiauth.log
applog.log                  csc.log.0                   fqdnd.log.0                 hwmon.log                   networkd.log.0              red-A3501F696540315.log     sandbox_reportd.log         sync.log                    xfrmi.log
applog.log.0                cschelper.log               fqdndebug.log               ips.log                     npu-startup.log.prev        red-A350232E7D3581D.log     sandboxd.log                sysinit.log                 xgs-healthmond.log
av.log                      csd.log                     ftpproxy.log                ipsec.log                   npu_syslog.log              red-A36020093C07EDC.log     sessiontbl.log              syslog-ng.log               xgs-host.log
avd.log                     ctasd.log                   fwcm-eventd.log             ipsec_conn                  ntpclient.log               red-R200018963CFXC8.log     sig_upgrade.log             syslog.log                  xgs-npu-fw.log
avd.log.0                   ctipd.log                   fwcm-eventd.log.0           ipsec_monitor.log           openvpn-status.log          red-R20001HKPXRMJE7.log     sigdb.log                   tlsreport.log               zebra.log
awarrenhttp.log             ctsyncd.log                 fwcm-heartbeatd.log         iview.log                   ospfd.log                   red-R20001T9YFQK700.log     sigmigration.log            tmclient.log
awarrenhttp_access.log      ddc.log                     fwcm-heartbeatd.log.0       iview.log.0                 pimd.log                    red-R20001YCCYYJR6D.log     skein.log                   tomcat.log
awarrensmtp.log             dgd.log                     fwcm-updaterd.log           l2tpd.log                   pktcapd.log                 red-R20001YJGKMDW95.log     smbnetfs.log                tomcat.log.0
awed.log                    dgd.log.0                   fwcm-updaterd.log.0         lcd.log                     postgres.log                red-R20001YJRF8T4CF.log     smtpd_error.log             u2d.log
bgpd.log                    dhcpd.log                   fwlog.log                   licensing.log               pptpvpn.log                 red-R200024FYJ9R403.log     smtpd_main.log              u2d.log.0
bwm.log                     dhcpd6.log                  fwmgmt.log                  mdev.log                    radvd.log                   red-R200029YG4GHCC8.log     smtpd_main.log.0            uma.log
XG430_WP02_SFOS 18.5.1 MR-1-Build326#

  • 0 in reply to LuCar Toni

    dropped packet capture does not show one line while reproducing the error.

    ips.log is filling up with some entries constantly, but I can not see any relationship to my problem because the entries are written every 20-30 sec regardless if I reproduce the error or not.

    1637221271.445212946 [12491/0xeb0000007485] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221271.648529883 [12491/0xc11400003517] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221281.576054732 [12492/0x4e4000008260] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221296.315486715 [12491/0x73e700005f7a] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221361.592918676 [12491/0xe1b6000013a8] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221372.286165496 [12491/0xfbf00000a67f] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221376.254997289 [12489/0x1a71000bf215] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221380.264400346 [12488/0x3fd80003c4ec] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221380.276489084 [12488/0xfe11000016f6] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221456.394740671 [12491/0xd2da000009c7] [nsg.c:1407:parser_context_resp_eoh_cb] request_fsm_response_begin failed.
1637221457.111740905 [12489/0x135b000042cf] [nsg.c:1407:parser_context_resp_eoh_cb] request_fsm_response_begin failed.
1637221461.033688667 [12488/0x4850000de0ea] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221464.094616417 [12491/0x7019000ddd82] [nsg.c:1407:parser_context_resp_eoh_cb] request_fsm_response_begin failed.
1637221475.293703382 [12491/0xa403000041aa] [nsg.c:1407:parser_context_resp_eoh_cb] request_fsm_response_begin failed.
1637221477.222272602 [12492/0x489e000dfdb8] [nsg.c:1407:parser_context_resp_eoh_cb] request_fsm_response_begin failed.
1637221518.070145981 [12492/0x652300000630] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221561.813531376 [12491/0xcc0006c25b] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221562.585277755 [12492/0x5f8000002c00] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221580.948666411 [12491/0x15a500005097] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221581.040441116 [12492/0xcb2500013e76] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221613.689577477 [12492/0x4f9300001625] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221662.830070946 [12492/0xa0de00008729] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221722.365829812 [12488/0xcff100004238] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221722.368846499 [12491/0x50a600007ba5] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221722.431311168 [12489/0xcfbf0000423f] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221722.432365908 [12489/0x7c1f00007051] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221722.433895988 [12491/0x63a80000a747] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221727.362595316 [12491/0x8d2000e47df] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221828.959235528 [12488/0x109700000984] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221828.991220647 [12492/0x9ef400006262] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221834.266318346 [12492/0xf0b00000bd48] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221834.277881430 [12491/0x31a6000347de] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221834.278348722 [12491/0x15610000102c] [nsg.c:1037:parser_context_req_begin_cb] Cannot parse pipelined request. Will offload traffic. (fsm: 1, paf: 0)
1637221834.312279944 [12489/0x2166000347d7] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.
1637221834.312504010 [12489/0x66e700004df7] [nsg_tcphold.c:315:process_event] Could not find session for key and unique_id.

    You said if it's not logged there it is not dropped.

    But why is the application working when the AC/ATP Exception is active and doesnt work when it is deactivated?

    This indicates that the firewall is dropping that traffic at some point, isnt it?

  • 0 in reply to AndreasHämmerle

    From my perspective, its not about dropping. It looks like the application is intercepted by the proxy. Which means, the connection is not dropped, instead intercepted. If its intercepted, likely the application got dropped by the client/server. 

    A drop would indicate a "retransmission multiple times". But you get from somebody a RST (reset). So somebody wants to kill the connection for what ever reason. 

    BTW: Why is your client getting a 401 unauthorized? 

Reply
  • 0 in reply to AndreasHämmerle

    From my perspective, its not about dropping. It looks like the application is intercepted by the proxy. Which means, the connection is not dropped, instead intercepted. If its intercepted, likely the application got dropped by the client/server. 

    A drop would indicate a "retransmission multiple times". But you get from somebody a RST (reset). So somebody wants to kill the connection for what ever reason. 

    BTW: Why is your client getting a 401 unauthorized? 

Children
  • 0 in reply to LuCar Toni

    Ok, to follow your theory, do you have any hints where I could search first if this proxy interception took place on XG?

    The firewall rules for internal traffic doesn't have any Webfilter enabled.

    Only firewall rules for internet traffic uses DPI with TLS Decryption, so it should not be relevant for my Problem.

    This 401 unauthorized is a good question, I have seen this in both Traces:

    when the atp_ac rule is disabled -> there is the RST right after the unauthorized

    when the atp_ac rule is enabled -> there is also the same unauthorized message (Access is denied due to invalid Credentials) but the application is working as expected. I can see the next packages in Wireshark Trace are HTTP/XML SOAP packages instead of the RST.

    If it is helpfull, I could send you both Wireshark captures via PN that you can see the difference.