Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 1900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DPI issue with AnyDesk Software

LHerzog

We're having an issue with anydesk beeing blocked in DPI due to invalid Certificates.

Anydesk uses own certificates, not trusted anywhere but in their software.

CN = AnyNet Root CA

CN = AnyNet Relay

Both seem to have the same fingerprint: 9e:08:d2:58:a9:02:cd:4f:e2:4a:26:b8:48:5c:43:0b:81:29:99:e3

We created a firewall rule for the users that need Anydesk, allowed HTTP/S and a custom port of Anydesk 6568

No WebFilter enabled on that FW rule, no IPS and App Control either.

Still the traffic comes to the DPI where it's blocked because of: TLS handshake fatal alert: unknown CA(48).

I don't understand why the traffic is scanned by DPI when the firewall rule has no webfiltering enabled.

I was able to install the AnyDesk Root CA to XG but not the Relay Certificate as CA which generates an error.

Certificate isn't a valid CA certificate or can't be used for signing.

This is the firewall rule 320 that hits here

and that the DPI rule

This is a packet in firewall log

2022-05-23 11:45:03Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="11" fw_rule_id="320" nat_rule_id="0" policy_type="2" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="Anydesk" app_risk="3" app_technology="Client Server" app_category="Remote Access" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="lag0.13" in_display_interface="User" out_interface="lag0.2524" out_display_interface="lag0.2524" src_mac="68:84:7E:8D:A0:8A" dst_mac="C8:4F:86:FC:00:0D" src_ip="172.16.xxx.xxx" src_country="R1" dst_ip="138.199.36.117" dst_country="" protocol="TCP" src_port="52930" dst_port="443" packets_sent="7" packets_received="5" bytes_sent="544" bytes_received="2742" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="754337024" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="EAC" app_is_cloud="0"

This is a packet in DPI log:

2022-05-23 11:44:53SSL/TLS inspectionmessageid="19018" log_type="SSL" log_component="SSL" log_subtype="Error" severity="Information" user="" src_ip="172.16.xxx.xxx" dst_ip="138.199.36.117" user_group="" src_country="R1" dst_country="" src_port="52930" dst_port="443" app_name="" app_id="0" category="IPAddress" category_id="83" con_id="754337024" rule_id="8" profile_id="3" rule_name="LAN-2-WAN" profile_name="Strict compliance" bitmask="Valid" key_type="KEY_TYPE__EC" key_param="EC secp256r1" fingerprint="9e:08:d2:58:a9:02:cd:4f:e2:4a:26:b8:48:5c:43:0b:81:29:99:e3" resumed="0" cert_chain_served="TRUE" cipher_suite="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" sni="138.199.36.117" tls_version="TLS1.2" reason="TLS handshake fatal alert: unknown CA(48)." exception="" message=""

What has to be done, to get this traffic out of DPI or to make XG trust the certificates?



This thread was automatically locked due to age.
  • 0

    I wrote this all up a year ago - https://community.sophos.com/sophos-xg-firewall/f/discussions/123967/how-to-allow-or-block-anydesk-when-using-tls-scanning

    Don't use the IPs I posted as they are out of date but the method works, you will just have to use the steps I outlined to create a new IP list.

    Have to say, this site could do with a much better search engine. When trying to find the above link, a search of "Anydesk" didn't find this post. Had to go back to my profile and find where I had posted it. I've often found the search returns crappy results.

  • 0 in reply to JasP

    Hey  that's what I was looking for. Great & Thanks! So just to ask: you added those IP into a Web URL Group like "Anydesk IP" and use that for exclusion in TLS /DPI?

    or use it as Destination control in a firewall rule?

  • 0 in reply to LHerzog

    Somebody could export there Objects and post them in the community, if they like. So other could import them as a Export. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LHerzog

    We just have it as an IP list that we put in a "Don't decrypt" SSL/TLS Inspection Rule

    Our current IP list is:

    141.105.67.173,192.155.106.69,46.4.105.230,177.54.145.75,136.243.81.155,178.128.83.14,216.245.193.50,104.243.41.211,5.188.148.22,186.233.185.73,103.107.198.70,186.233.185.64,92.38.148.19,82.223.101.124,5.188.148.13,49.12.130.236,178.162.151.213,138.201.130.101,95.217.197.184,37.61.218.225,92.38.138.12,136.243.71.27,116.202.225.117,51.81.245.48,92.38.150.63,199.127.62.145,209.222.97.48,141.105.67.159,46.4.101.81,134.119.220.101,89.187.160.141,139.99.68.207,82.223.102.174,5.188.71.118,178.162.151.212,178.128.118.254,208.115.237.254,84.17.34.77,116.202.172.152,92.38.153.70,216.144.253.178,139.99.69.89,177.54.145.77,116.202.162.91,5.188.148.26,84.17.34.78,51.91.80.122,139.99.121.132,51.195.5.158,92.223.66.49,51.178.91.234,5.188.120.37,92.38.138.10,82.223.39.162,85.195.83.105,51.178.65.177,92.38.150.24,51.178.65.228,51.83.239.144,51.89.98.178,92.38.148.17,51.89.6.202,177.54.150.126,139.99.122.45,186.233.185.71,51.83.238.200,136.243.77.37,146.0.234.85,51.89.98.179,116.202.114.37,64.31.33.218,51.178.91.237,92.38.138.14,38.39.192.6,92.38.150.23,88.99.1.27,88.198.34.103,177.54.145.44,38.39.192.10,207.188.6.19,162.254.201.201,92.223.106.13,141.105.67.172,82.223.120.52,92.223.88.232,176.9.92.22,92.223.103.127,192.155.106.115,138.201.7.158,51.83.238.221,139.99.69.87,62.75.235.180,178.128.116.60,144.76.103.21,146.185.219.17,92.38.150.61,51.83.238.213,151.106.5.211,134.119.216.185,92.38.150.66,51.83.238.241,51.178.91.233,5.188.71.55,92.223.106.10,136.243.44.15,172.105.219.53,51.89.98.181,89.187.160.134,104.238.148.200,51.91.80.124,51.83.239.145,146.185.219.33,136.243.137.2,92.223.85.103,177.54.155.15,136.243.135.166,51.91.80.119,92.223.85.120,5.188.170.167,199.127.60.83,49.12.130.235,192.155.108.5,92.42.108.153,189.1.174.48,213.198.67.114,92.223.66.31,103.107.198.54,92.223.88.41,78.46.49.23,134.119.216.245,141.105.67.145,92.38.150.67,189.1.174.39,216.245.219.66,213.239.219.11,92.223.85.102,92.223.66.50,145.239.1.122,167.99.75.56,92.38.150.71,138.201.217.169,177.54.155.18,167.99.76.132,92.38.150.70,186.233.185.76,138.201.29.112,92.223.66.39,51.178.65.229,185.19.219.127,5.188.120.11,216.245.218.30,172.104.112.178,46.4.233.44,148.251.127.85,92.38.150.65,186.233.185.74,172.104.93.149,136.243.57.19,139.99.122.30,51.83.238.211,92.223.106.15,172.107.217.106,103.107.198.42,51.83.238.210,186.233.185.60,92.38.138.19,141.105.67.148,139.99.123.27,139.99.69.164,51.83.238.202,172.104.71.53,92.223.66.47,136.243.59.28,138.201.7.157,45.76.222.77,5.188.148.25,177.54.145.34,51.178.65.231,5.9.112.244,116.202.208.24,64.31.23.30,54.36.108.137,92.38.150.73,5.188.120.14,178.128.116.81,167.179.71.125,51.195.5.159,51.68.153.120,217.182.199.175,136.243.56.154,92.223.66.51,5.188.148.21,186.233.185.65,51.83.239.73,186.233.187.24,69.162.111.202,148.251.77.80,103.107.198.62,178.128.86.15,158.255.7.145,92.38.138.11,51.195.5.156,116.202.229.59,38.39.192.14,37.61.223.15,139.162.123.221,92.223.85.104,192.155.106.71,92.223.66.44,82.223.30.238,116.202.225.124,116.202.225.122,51.68.153.119,195.201.82.113,51.195.5.157,64.31.23.22,139.99.69.88,167.179.86.175,185.209.178.72,51.89.42.214,92.38.177.14,5.188.148.12,92.223.66.41,92.38.150.22,139.99.68.49,202.182.119.71,176.9.98.56,199.127.62.156,51.178.91.235,199.127.60.136,202.182.100.173,136.243.132.27,158.255.7.154,177.54.145.74,178.128.86.132,146.185.219.86,199.127.60.241,103.107.198.66,51.91.80.48,45.35.72.2,92.38.150.76,88.99.99.121,88.99.214.67,186.233.187.20,51.91.80.120,189.1.174.38,136.243.74.99,46.4.101.74,85.195.107.61,64.31.35.26,103.43.75.140,207.188.6.17,92.223.85.121,189.1.174.43,177.54.145.80,167.179.65.23,64.31.23.26,64.31.35.194,51.89.42.215,185.136.166.135,146.185.219.14,185.136.157.95,189.1.174.47,177.54.145.72,5.188.71.30,92.223.85.147,206.189.47.231,51.83.238.220,5.188.170.169,74.63.224.34,5.188.95.14,92.223.85.87,146.185.219.89,92.223.85.148,51.83.238.218,88.198.34.109,199.127.60.120,54.36.108.171,51.83.238.209,92.223.85.165,92.223.66.48,45.126.208.85,144.76.78.144,189.1.174.46,103.1.213.62,146.185.236.42,92.38.138.13,89.187.160.142,192.155.108.43,198.13.49.12,217.182.199.184,116.202.225.111,82.223.102.22,51.91.80.121,85.195.124.5,92.38.138.20,92.38.150.72,177.54.150.13,92.223.85.164,148.251.69.85,64.31.35.242,108.61.182.228,177.54.145.78,103.107.198.26,51.178.65.230,199.127.60.121,89.187.160.140,45.76.123.16,172.104.108.83,146.185.219.46,85.195.107.63,107.155.105.90,136.243.39.33,92.223.88.7,92.38.138.18,103.107.198.18,5.188.170.170,189.1.174.45,136.243.46.247,186.233.185.58,95.217.197.179,51.195.5.155,167.179.98.127,185.136.157.77,186.233.185.40,172.105.236.156,136.243.56.13,92.38.150.75,185.209.179.55,92.223.66.40,5.188.120.13,192.155.108.7,148.251.66.236,116.202.216.243,108.160.143.219,51.83.238.212,177.54.145.71,186.233.185.70,177.54.145.37,92.38.153.69,139.162.89.248,92.38.177.17,146.185.219.70,136.243.61.14,141.105.67.147,5.188.170.165,45.76.220.248,46.4.112.232,177.54.145.36,82.223.9.59,177.54.145.79,92.38.150.69,92.223.85.166,213.198.67.42,62.75.202.219,134.119.216.159,85.25.103.30,177.54.145.38,92.38.150.68,139.162.106.85,177.54.145.82,51.83.238.201,82.223.103.159,37.61.223.13,103.107.198.6,134.119.213.193,141.105.67.146,5.188.170.171,51.195.5.160,216.245.220.126,139.162.124.109,198.13.33.92,136.243.71.104,92.223.66.45,51.178.65.178,146.185.219.44,5.188.120.38,177.54.145.76,92.223.103.126,5.188.71.117,51.83.238.219,5.188.71.27,172.105.220.182,136.243.48.30,69.162.91.190,186.233.185.37,216.245.195.98,141.105.67.157,177.54.150.16,5.188.71.10,82.223.102.211,172.104.87.76,172.107.217.82,216.245.220.122,213.198.67.162,213.239.213.142,92.223.66.29,192.155.108.41,103.107.198.50,116.202.162.14,136.243.50.29,45.35.33.218,177.54.145.81,198.13.54.215,37.48.76.146,192.155.110.41,103.107.198.46,186.233.185.67,49.12.130.237,116.202.225.112,167.99.73.168,138.201.40.141,92.223.66.46,177.54.150.12,51.83.239.143,64.31.23.18,92.38.150.9,136.243.4.12,138.199.36.112,78.138.106.10,138.199.36.115,138.199.36.118,138.199.36.116,92.204.195.37,138.199.36.119,92.204.195.41,138.199.36.122,78.138.106.6,92.223.58.135,195.181.165.153,92.223.58.149,195.181.165.139,195.181.165.154,103.50.32.23,103.50.32.19

    I would be a little cautious with this list. It was created two years ago based on the methodology in the link. We have manually added some IPs to it over time and it works fine for us in the UK but if you want a "perfect" up to date list, use the methodology described in the link I posted to get a full up to date list.

Unfiltered HTML