IPS updates - old issues returning

Hi rfcat_vk,

Thank you for the feedback, Would it be possible to get more information so that we can further check this issue?

1. Specific Issues encountered

2. The previous firmware version of the occurrence ( If known)

3. The current firmware version encountered

Hi Erick,

my XG is currently running v19.0.1 mr-1 and has been up for over 20 days. 

The specific issue is the mis-classification of Thunder VPN and Manual Proxy Surfing.

The issue re-appeared a couple of days ago.

I am unable to identify when the issue was reported and fixed, my records do not go back that far and searching the forums for posts on the subject does not turn up any results.

Ian

Hi rfcat_vk,

Thank you for the information, 

Would it be possible to request a tcpdump save in pcap capture and a screenshot of the Log Viewer Application Filter?

This will be sent to Sophos labs for further analysis.

# tcpdump -ni any host  x.x.x.x and host x.x.x.x -b -w /tmp/application.pcap -s0

The x.x.x.x would be the IP of the computer doing the request and the Public IP of the Destination

The easy bits first, then setup the capture.

Application logviewer

Web logviewer

Ian

Hi rfcat_vk,

Thank you for this.

we notice that also. apple devices on Port 80 accessing some Apple IPs (17.0.0.0 Range)

protocol="TCP" src_port="59532" dst_port="80" bytes_sent="153" bytes_received="0" domain="proxy-safebrowsing.googleapis.com" exception="" activity_name="" reason="Connect tunnel" user_agent="" status_code="0" transaction_id="7a86337c-a7f6-4e4e-95f7-975fb588a487" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1215971328" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

Some details about safebrowsing used by Apple here. So in this case, it is indeed some kind of proxy.

https://twitter.com/othermaciej/status/1359736220809531393

Thank you for adding information.

It is not the access that I am trying to get fixed it is the incorrect classsification returning. Yes, some of it is to an Apple website but the logs are showing it in my opinion incorrectly after spending time and effort to get the issue resolved previously.

there wasn’t an issue a couple of weeks ago, so what was changed to an older version in a recent ips update?

ian

Appears to have been fixed, because there are no entries in today's report. Only time will tell.

Ian

Update :- this morning's investigation of log viewer shows 'manual proxy surfing' has its own category, which I created. Where as before it was categorised as proxy and tunnel and is now classed as Proxy and tunnel in technology - Client Server by XG. Searching log viewer neither application or web does not display any traffic for client server nor proxy and tunnel.

Hi rfcat_vk,

Thank you for the update. Kindly inform us if you still encounter any future issues so we can take proper action. Thank you

Hi rfcat_vk,

Thank you for the update. Kindly inform us if you still encounter any future issues so we can take proper action. Thank you