Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 992 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

v19.0.1 - Drop & log Rule allows traffic 80/443/3128

Daniels_UTM

Due a log investigation, we have discovered a leak in the firewall policys.

If you set a rule with simply complete drop & log from a source to WAN zone, Traffic with destination Ports 80/443 will be allowed. So the traffic flows to the integrated proxy and is processed. It translates the Traffic to Port 3128 (seen in Webfilter logs) while it uses a WEB Rule ID 2 (deny all).

So the blocked computers are able to access websites from the exception tab (specially M365 Onedrive & Co could be critical for T0 Servers). 

Recommendations for MS especially include exceptions for all HTTPS dec/cert val/Malware/ZeroDay/Policy checks

Does anyone have a solution for this? It seems to be a design thing,



This thread was automatically locked due to age.
Parents
  • 0

    See: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogViewer/Logsbehavior/index.html

    There is no fix. Essentially it is a behavior to help the users to better understand the drop. 

    Because drop will lead to a unwanted browser drop. Drop by the proxy results in a UI feedback. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    hmm... @LuCar Toni - do you think this a good solution? I understand the idea to give a feedback to the users, but i'll do it inside a web rule. Everything else has no connection - a simple drop.

    My identified risk is:

    1. All computers behind a drop rule can access all exceptions - in the current case M365 communication can cause serious damage to isolated devices. As we know, microsoft telemetry server can be used for relaying botnet traffic and malware could be downloaded by onedrive - and the firewall is completly blind.

    2. In case of a drop rule at the end of a Guest Policyset and some exceptions for internal Servers - users from the Guest Network can access internal ressources - this might bridge unsecure zones in the network.

    I think this concept enable devices to get access to unallowed ressources and breaches the security of the firewall.

    i do not know any other vendor, where a DROP is not a DROP, so this might be also a security risk for a lot of customers?

  • 0 in reply to Daniels_UTM

    If you see anykind of problems in this design, you can use Reject instead of drop. 

    As far as i know, Deny all in this kind of design does not give you access to exception. Can you link a rule which allows this via exception in logviewer? Simply look into the web proxy and check for a firewall rule with deny all, which allows the traffic. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The confusing part is the double allow

    The secret seems to be the "502" reply which means Bad Gateway -> a block page is shown

Reply Children
  • 0 in reply to Daniels_UTM

    Yes for exception traffic, this is a double block in this sense. It is a UX feature for users to better integrate with those blocks. 

    And as mentioned - If you use Reject, you will get the actual behavior of "Browser cannot connect to internet - Is the cable plugged in?" 

    __________________________________________________________________________________________________________________

Unfiltered HTML