Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 35 replies
  • Subscribers 30 subscribers
  • Views 66476 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Battle.net Client Can't Download Updates

Timothy Stewart

Hi.  My battle.net client (Blizzard games like WoW, StarCraft, etc...) cannot update if HTTP scanning is turned on.  It works if I disable HTTP scanning in the web filter. I do not have HTTPS scanning turned on.  I have tried bypassing these sites from  getting scanned and it still does not work.  Here's a great list of regex exceptions from UTM 9 that don't seem to work with XG Firewall. 

https://community.sophos.com/products/unified-threat-management/f/55/p/45070/161552



This thread was automatically locked due to age.
Parents
  • 0

    Hi Timonthy,

    Greetings.

    Can you check if you get any drop packets while accessing these website ?

    Login to XG through SSH and go to option 4. Device Console and type:

    console> drop-packet-capture 'host x.x.x.x

    Monitor the logs and if you have any further questions please post them here.

    Thanks

    Sachin Gurung

Reply
  • 0

    Hi Timonthy,

    Greetings.

    Can you check if you get any drop packets while accessing these website ?

    Login to XG through SSH and go to option 4. Device Console and type:

    console> drop-packet-capture 'host x.x.x.x

    Monitor the logs and if you have any further questions please post them here.

    Thanks

    Sachin Gurung

Children
  • 0 in reply to sachingurung

    This is the only odd drop i see

    IP owned by blizzrd ent 24.105.29.23


    2016-04-19 19:06:43 0102021 IP 192.168.0.150.7874 > 24.105.29.23.80 : proto TCP: F 3345749702:3345749702(0) win 253 checksum : 61253
    0x0000: 4500 0028 29f4 0000 8006 1a1e c0a8 0096 E..()...........
    0x0010: 1869 1d17 1ec2 0050 c76c 16c6 e374 e818 .i.....P.l...t..
    0x0020: 5011 00fd ef45 0000 P....E..
    Date=2016-04-19 Time=19:06:43 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev= inzone_id=0 outzone_id=0 source_mac=*******dest_mac=*******_protocol=IP source_ip=192.168.0.150 dest_ip=24.105.29.23 l4_protocol=TCP source_port=7874 dest_port=80 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=4049079546425638912 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    This is the policy that has HTTP scanning enabled along with the exception regex from above.  I also have an exception for all direct IP.  My question is, does the regex above even work?  Are the regex exceptions in the right place to exclude scanning even though I am not scanning https?   This seems like it is harder than it should be.  I just want to wildcard domains and even IPs that should bypass AV scanning.

  • 0 in reply to Timothy Stewart

    Hi,

    Observing the log line "log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied" the Firewall is not able to discover a Firewall Rule to forward the traffic. " fw_rule_id=0 policytype=0 " this states no Firewall Rule is present to route the request else the fw_rule_id will always have a numeric value other than 0.

    Can you provide screenshot of the Firewall Rule configured to forward traffic to internet for the particular source host?

    I also suggest you to create a new Firewall Rule with Source as the system IP address 192.168.0.150.

    Thanks

    Sachin Gurung

  • 0 in reply to sachingurung

    This is is the rule that has antivirus scanning enabled.  If I disable scanning the client can download updates.  I shouldn't need to forward this traffic to this client specifically. 

  • 0 in reply to Timothy Stewart

    Hi Timothy,

    I can see that IPS is applied inside the Firewall Rule, can you check the IPS logs by navigating through the options 

    • System
    • Diagnostics
    • Log Viewer
    • View logs for - IPS

    I also request you to keep the IPS as None and monitor.

    Thanks

    Sachin Gurung

  • 0 in reply to sachingurung

    Same.  Did not help.  I disabled the IPS Rule altogether and this IP does not appear in the IPS denied log.  Only a few blocked ICMP requests.

    Here is the packet:

    2016-04-20 11:00:00 0102021 IP 192.168.0.150.53656 > 24.105.29.23.80 : proto TCP: F 1715507712:1715507712(0) win 255 checksum : 8833
    0x0000: 4500 0028 388e 0000 8006 0b84 c0a8 0096 E..(8...........
    0x0010: 1869 1d17 d198 0050 6640 9200 91fa 3971 .i.....Pf@....9q
    0x0020: 5011 00ff 2281 0000 P..."...
    Date=2016-04-20 Time=11:00:00 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=PortA out_dev= inzone_id=0 outzone_id=0 source_mac=******* dest_mac=********* l3_protocol=IP source_ip=192.168.0.150 dest_ip=24.105.29.23 l4_protocol=TCP source_port=53656 dest_port=80 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3546366122783670272 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    Here is a screenshot of the updated rule.

    Again, this works if I disable HTTP AV scanning. The regex for bypassing urls does not seem to work.

  • 0 in reply to Timothy Stewart

    Hi Timothy,

    Ok now that is strange, what I suspect is the http proxy services are stuck. Please navigate through 

    • System
    • Diagnostics
    • Services
    • Web Proxy - Restart.

    This will restart the httpproxy service in XG.

    Let me know if that helps!

    Thanks

    Sachin Gurung

  • 0 in reply to sachingurung

    Did not help.  I have rebooted it too.  Turning off AV scanning for HTTP is the only thing that helps.  Can you please confirm that regex exceptions work?  Look at my very first post.

  • 0 in reply to Timothy Stewart

    I am convinced regex exceptions are not working

    i have 3 exception rules (to cover all bases) for this IP all set to bypass http scanning:

    ^https?://[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*

    [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*

    24.105.29.23

    Then turned on packet capture 

    Flush buffer : On, BPF : host 24.105.29.23 and port 80

    And there it is, getting consumed by Rule ID 1.  Which is the policy above and it only has HTTP scanning turned on, which according to my regex exceptions, should bypass the scanner.   

    To me this sounds like either regex exceptions are broken for direct IP connections, broken in general, or I am doing something wrong.  The only workaround  so far is just disabling HTTP scanning, which I do not want to do.

  • 0 in reply to Timothy Stewart

    Any updates?  Do regex exceptions work for HTTP scanning rules for anyone?

  • 0 in reply to Timothy Stewart

    I have exactly the same problem with Origin client. It does not want to download any updates with HTTP/HTTPS scanning enabled. Bypass rules do not seem to do anything in this case.