Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 10045 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Filter blocks all the Internet traffic in XG-135

Ishwarsingh

Hi,

When I select the pre-defined categories in Application Filter (while creating my custom App filter) and apply it in policies--it blocks all the traffic. Even though I select Gaming category only and apply it in policies --the internet is blocked (PING too stops working).

In the policies created by me --web filter is working fine. Request someone to help on this issue.

Thanks,

Kumar



This thread was automatically locked due to age.
Parents
  • 0

    Hi Kumar,

    Welcome to Sophos Community.

    Let me know if unchecking the micro-app scanning helped. Also, what does the packet capture logs reflect.

    Thanks

  • 0 in reply to sachingurung

    Hi,

    I unchecked  the micro-app but of no use...

    When I apply my custom app filter rule in the policies, packet capture log reflects the incoming traffic from our Public IP --> to destination IP (192.168.8.1).

    Status - Generated

    Pls suggest.

    Thanks,

    Kumar

  • 0 in reply to Ishwarsingh

    Hi Kumar,

    Can you post a screenshot of the configuration and an inside look of the configured policy? I would like to know on which firewall rule did you define the app policy?

    Also, check what do you catch in the drop-packet-capture; when app policy is applied and the internet stops.

    Thanks

  • 0 in reply to sachingurung

    I have moved this policy at the top-at present.

    The below log in screenshot is of when the policy ID-1 was not at the top.

    Please find the screenshots as required. I am using the app filter in first policy (ID-1). When applied the app filter, please find above the screenshot for drop-packet-capture from one of the host. Also please find the detailed drop-packet-capture log below:

    When I moved the policy ID-1 at the top, below given log was generated:

    Sophos Firmware Version SFOS 15.01.0 MR-3                                                           
                                                                                                        
    console> drop-packet-capture 'host 192.168.1.76'                                                    
    2016-08-31 14:26:09 0103021 IP 192.168.1.76.17500 > 255.255.255.255.17500 : proto UDP: packet len: 1
    51 checksum : 54103                                                                                 
    0x0000:  4500 00ab 3b67 0000 8011 3ce7 c0a8 014c  E...;g....<....L                                  
    0x0010:  ffff ffff 445c 445c 0097 d357 7b22 686f  ....D\D\...W{"ho                                  
    0x0020:  7374 5f69 6e74 223a 2032 3233 3238 3830  st_int":.2232880                                  
    0x0030:  3339 3033 3532 3433 3735 3136 3538 3930  3903524375165890                                  
    0x0040:  3838 3938 3331 3937 3036 3535 3131 3837  8898319706551187                                  
    0x0050:  2c20 2276 6572 7369 6f6e 223a 205b 322c  ,."version":.[2,                                  
    0x0060:  2030 5d2c 2022 6469 7370 6c61 796e 616d  .0],."displaynam                                  
    0x0070:  6522 3a20 2222 2c20 2270 6f72 7422 3a20  e":."",."port":.                                  
    0x0080:  3137 3530 302c 2022 6e61 6d65 7370 6163  17500,."namespac                                  
    0x0090:  6573 223a 205b 3439 3939 3635 3634 382c  es":.[499965648,                                  
    0x00a0:  2038 3537 3335 3938 365d 7d              .85735986]}                                       
    Date=2016-08-31 Time=14:26:09 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=
    Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4
     source_mac=dc:53:60:c7:b5:aa dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.76 dest_
    ip=255.255.255.255 l4_protocol=UDP source_port=17500 dest_port=17500 fw_rule_id=0 policytype=0 live_
    userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_i
    d=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=
    0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctfl
    ags=0 connid=0 masterid=1560433120 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A rec
    v_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A                     
                                                                                                        
    2016-08-31 14:26:09 0103021 IP 192.168.1.76.17500 > 192.168.1.255.17500 : proto UDP: packet len: 151
     checksum : 4272                                                                                    
    0x0000:  4500 00ab 58c9 0000 8011 5cdd c0a8 014c  E...X.....\....L                                  
    0x0010:  c0a8 01ff 445c 445c 0097 10b0 7b22 686f  ....D\D\....{"ho                                  
    0x0020:  7374 5f69 6e74 223a 2032 3233 3238 3830  st_int":.2232880                                  
    0x0030:  3339 3033 3532 3433 3735 3136 3538 3930  3903524375165890                                  
    0x0040:  3838 3938 3331 3937 3036 3535 3131 3837  8898319706551187                                  
    0x0050:  2c20 2276 6572 7369 6f6e 223a 205b 322c  ,."version":.[2,                                  
    0x0060:  2030 5d2c 2022 6469 7370 6c61 796e 616d  .0],."displaynam                                  
    0x0070:  6522 3a20 2222 2c20 2270 6f72 7422 3a20  e":."",."port":.                                  
    0x0080:  3137 3530 302c 2022 6e61 6d65 7370 6163  17500,."namespac                                  
    0x0090:  6573 223a 205b 3439 3939 3635 3634 382c  es":.[499965648,                                  
    0x00a0:  2038 3537 3335 3938 365d 7d              .85735986]}                                       
    Date=2016-08-31 Time=14:26:09 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=
    Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4
     source_mac=dc:53:60:c7:b5:aa dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.76 dest_
    ip=192.168.1.255 l4_protocol=UDP source_port=17500 dest_port=17500 fw_rule_id=0 policytype=0 live_us
    erid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=
    0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7147837350284886016 dn_classid=
    0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0
     drop_fix=0 ctflags=0 connid=0 masterid=1560433120 status=0 state=256 sent_pkts=N/A recv_pkts=N/A se
    nt_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A     
                                                                                                        
    2016-08-31 14:26:09 0103021 IP 192.168.1.76.17500 > 255.255.255.255.17500 : proto UDP: packet len: 1
    51 checksum : 54103                                                                                 
    0x0000:  4500 00ab 3b68 0000 8011 3ce6 c0a8 014c  E...;h....<....L                                  
    0x0010:  ffff ffff 445c 445c 0097 d357 7b22 686f  ....D\D\...W{"ho                                  
    0x0020:  7374 5f69 6e74 223a 2032 3233 3238 3830  st_int":.2232880                                  
    0x0030:  3339 3033 3532 3433 3735 3136 3538 3930  3903524375165890                                  
    0x0040:  3838 3938 3331 3937 3036 3535 3131 3837  8898319706551187                                  
    0x0050:  2c20 2276 6572 7369 6f6e 223a 205b 322c  ,."version":.[2,                                  
    0x0060:  2030 5d2c 2022 6469 7370 6c61 796e 616d  .0],."displaynam                                  
    0x0070:  6522 3a20 2222 2c20 2270 6f72 7422 3a20  e":."",."port":.                                  
    0x0080:  3137 3530 302c 2022 6e61 6d65 7370 6163  17500,."namespac                                  
    0x0090:  6573 223a 205b 3439 3939 3635 3634 382c  es":.[499965648,                                  
    0x00a0:  2038 3537 3335 3938 365d 7d              .85735986]}                                       
    Date=2016-08-31 Time=14:26:09 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=
    Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4
     source_mac=dc:53:60:c7:b5:aa dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.76 dest_
    ip=255.255.255.255 l4_protocol=UDP source_port=17500 dest_port=17500 fw_rule_id=0 policytype=0 live_
    userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_i
    d=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7147837350284886016 dn_classi
    d=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes
    =0 drop_fix=0 ctflags=0 connid=0 masterid=1560433120 status=0 state=256 sent_pkts=N/A recv_pkts=N/A
    sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A   
                                                                                                        
    2016-08-31 14:26:39 0102021 IP 192.168.1.76.59281 > 119.2.100.249.443 : proto TCP:  1917299129:19172
    99130(1) ack 612951298 win 255 checksum : 524                                                       
    0x0000:  4500 0029 748f 4000 8006 e84f c0a8 014c  E..)t.@....O...L                                  
    0x0010:  7702 64f9 e791 01bb 7247 a9b9 2488 e502  w.d.....rG..$...                                  
    0x0020:  5010 00ff 020c 0000 000c e3b6 5ded       P...........].                                    
    Date=2016-08-31 Time=14:26:39 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_sub
    type=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=0 outzone
    _id=0 source_mac=dc:53:60:c7:b5:aa dest_mac=00:1a:8c:4b:b5:28 l3_protocol=IP source_ip=192.168.1.76
    dest_ip=119.2.100.249 l4_protocol=TCP source_port=59281 dest_port=443 fw_rule_id=0 policytype=0 live
    _userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_
    id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3616449208686477312 dn_class
    id=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_byte
    s=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes
    =N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A             
                                                                                                        
    2016-08-31 14:26:40 0103021 IP 192.168.1.76.17500 > 255.255.255.255.17500 : proto UDP: packet len: 1
    51 checksum : 54103                                                                                 
    0x0000:  4500 00ab 3b69 0000 8011 3ce5 c0a8 014c  E...;i....<....L                                  
    0x0010:  ffff ffff 445c 445c 0097 d357 7b22 686f  ....D\D\...W{"ho                                  
    0x0020:  7374 5f69 6e74 223a 2032 3233 3238 3830  st_int":.2232880                                  
    0x0030:  3339 3033 3532 3433 3735 3136 3538 3930  3903524375165890                                  
    0x0040:  3838 3938 3331 3937 3036 3535 3131 3837  8898319706551187                                  
    0x0050:  2c20 2276 6572 7369 6f6e 223a 205b 322c  ,."version":.[2,                                  
    0x0060:  2030 5d2c 2022 6469 7370 6c61 796e 616d  .0],."displaynam                                  
    0x0070:  6522 3a20 2222 2c20 2270 6f72 7422 3a20  e":."",."port":.                                  
    0x0080:  3137 3530 302c 2022 6e61 6d65 7370 6163  17500,."namespac                                  
    0x0090:  6573 223a 205b 3439 3939 3635 3634 382c  es":.[499965648,                                  
    0x00a0:  2038 3537 3335 3938 365d 7d              .85735986]}                                       
    Date=2016-08-31 Time=14:26:40 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=
    Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4
     source_mac=dc:53:60:c7:b5:aa dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.76 dest_
    ip=255.255.255.255 l4_protocol=UDP source_port=17500 dest_port=17500 fw_rule_id=0 policytype=0 live_
    userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_i
    d=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7147837350284886016 dn_classi
    d=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes
    =0 drop_fix=0 ctflags=0 connid=0 masterid=3505600192 status=0 state=256 sent_pkts=N/A recv_pkts=N/A
    sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A   
                                                                                                        
    2016-08-31 14:26:40 0103021 IP 192.168.1.76.17500 > 192.168.1.255.17500 : proto UDP: packet len: 151
     checksum : 4272                                                                                    
    0x0000:  4500 00ab 5907 0000 8011 5c9f c0a8 014c  E...Y.....\....L                                  
    0x0010:  c0a8 01ff 445c 445c 0097 10b0 7b22 686f  ....D\D\....{"ho                                  
    0x0020:  7374 5f69 6e74 223a 2032 3233 3238 3830  st_int":.2232880                                  
    0x0030:  3339 3033 3532 3433 3735 3136 3538 3930  3903524375165890                                  
    0x0040:  3838 3938 3331 3937 3036 3535 3131 3837  8898319706551187                                  
    0x0050:  2c20 2276 6572 7369 6f6e 223a 205b 322c  ,."version":.[2,                                  
    0x0060:  2030 5d2c 2022 6469 7370 6c61 796e 616d  .0],."displaynam                                  
    0x0070:  6522 3a20 2222 2c20 2270 6f72 7422 3a20  e":."",."port":.                                  
    0x0080:  3137 3530 302c 2022 6e61 6d65 7370 6163  17500,."namespac                                  
    0x0090:  6573 223a 205b 3439 3939 3635 3634 382c  es":.[499965648,                                  
    0x00a0:  2038 3537 3335 3938 365d 7d              .85735986]}                                       
    Date=2016-08-31 Time=14:26:40 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=
    Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4
     source_mac=dc:53:60:c7:b5:aa dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.76 dest_
    ip=192.168.1.255 l4_protocol=UDP source_port=17500 dest_port=17500 fw_rule_id=0 policytype=0 live_us
    erid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=
    0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7147837350284886016 dn_classid=
    0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0
     drop_fix=0 ctflags=0 connid=0 masterid=3505600192 status=0 state=256 sent_pkts=N/A recv_pkts=N/A se
    nt_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A     
                                                                                                        
    2016-08-31 14:26:40 0103021 IP 192.168.1.76.17500 > 255.255.255.255.17500 : proto UDP: packet len: 1
    51 checksum : 54103                                                                                 
    0x0000:  4500 00ab 3b6a 0000 8011 3ce4 c0a8 014c  E...;j....<....L                                  
    0x0010:  ffff ffff 445c 445c 0097 d357 7b22 686f  ....D\D\...W{"ho                                  
    0x0020:  7374 5f69 6e74 223a 2032 3233 3238 3830  st_int":.2232880                                  
    0x0030:  3339 3033 3532 3433 3735 3136 3538 3930  3903524375165890                                  
    0x0040:  3838 3938 3331 3937 3036 3535 3131 3837  8898319706551187                                  
    0x0050:  2c20 2276 6572 7369 6f6e 223a 205b 322c  ,."version":.[2,                                  
    0x0060:  2030 5d2c 2022 6469 7370 6c61 796e 616d  .0],."displaynam                                  
    0x0070:  6522 3a20 2222 2c20 2270 6f72 7422 3a20  e":."",."port":.                                  
    0x0080:  3137 3530 302c 2022 6e61 6d65 7370 6163  17500,."namespac                                  
    0x0090:  6573 223a 205b 3439 3939 3635 3634 382c  es":.[499965648,                                  
    0x00a0:  2038 3537 3335 3938 365d 7d              .85735986]}                                       
    Date=2016-08-31 Time=14:26:40 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=
    Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4
     source_mac=dc:53:60:c7:b5:aa dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.76 dest_
    ip=255.255.255.255 l4_protocol=UDP source_port=17500 dest_port=17500 fw_rule_id=0 policytype=0 live_
    userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_i
    d=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7147837350284886016 dn_classi
    d=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes
    =0 drop_fix=0 ctflags=0 connid=0 masterid=3505600192 status=0 state=256 sent_pkts=N/A recv_pkts=N/A
    sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

    Please suggest.

    Thanks,

    Kumar

  • 0 in reply to Ishwarsingh

    Hi,

    What is the default action in the application policy? It should be Allow. Next, in the drop-packet-capture logs the reason for drop is a loca_acl and invalid traffic, which means that a firewall rule is not configured to route the traffic or it is disabled from the firewall itself. Go to, system> Administration > Device Access; check that HTTP, HTTPS and Ping services are selected here for LAN and WAN.

    Is there a traffic shaping policy defined for Applications ? If yes, please show us a screenshot. If there is no explicit Application traffic shaping policy then uncheck the application traffic shaping option in the Firewall Rule on the right of Application Filter tab.

    Finally, navigate through system > diagnostic > services ; restart IPS & Web Proxy.

    Thanks

  • 0 in reply to sachingurung

    Hi Sachin,

    Did the steps as you said HTTP, HTTPS and Ping services are selected for LAN & WAN. Unchecked the app & web traffic shaping --as there is no exclusive traffic shaping defined.

    Then applied the app filter in policy (ID-1), but still not working. PING too was not working.

    Below is the log details:

    console> drop-packet-capture 'host 192.168.1.76'                                                    
    2016-08-31 15:46:37 0544021 IP  192.168.1.76. > 220.227.24.73. :proto ICMP: echo request seq 24858  
    0x0000:  4500 003c 57cd 0000 7f01 2cd3 c0a8 014c  E..<W.....,....L                                  
    0x0010:  dce3 1849 0800 ec40 0001 611a 6162 6364  ...I...@..a.abcd                                  
    0x0020:  6566 6768 696a 6b6c 6d6e 6f70 7172 7374  efghijklmnopqrst                                  
    0x0030:  7576 7761 6263 6465 6667 6869            uvwabcdefghi                                      
    Date=2016-08-31 Time=15:46:37 log_id=0544021 log_type=Content_Filter log_component=Application_Filte
    r log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port2 inzone_id=
    1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.76 dest_ip=220.227.24.73 l4_
    protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=1 policytype=1 live_userid=0 userid=0 user_gp=0 ips
    _id=1 sslvpn_id=0 web_filter_id=12 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=3 app_id=0
     category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=1 inmark=0 nfqu
    eue=0 scanflags=100 gateway_offset=88 max_session_bytes=0 drop_fix=0 ctflags=0 connid=65546 masterid
    =2560109824 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip
    =N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A                                            
                                                                                                        
    2016-08-31 15:46:42 0544021 IP  192.168.1.76. > 220.227.24.73. :proto ICMP: echo request seq 24859  
    0x0000:  4500 003c 57ce 0000 7f01 2cd2 c0a8 014c  E..<W.....,....L                                  
    0x0010:  dce3 1849 0800 ec3f 0001 611b 6162 6364  ...I...?..a.abcd                                  
    0x0020:  6566 6768 696a 6b6c 6d6e 6f70 7172 7374  efghijklmnopqrst                                  
    0x0030:  7576 7761 6263 6465 6667 6869            uvwabcdefghi                                      
    Date=2016-08-31 Time=15:46:42 log_id=0544021 log_type=Content_Filter log_component=Application_Filte
    r log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port2 inzone_id=
    1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.76 dest_ip=220.227.24.73 l4_
    protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=1 policytype=1 live_userid=0 userid=0 user_gp=0 ips
    _id=1 sslvpn_id=0 web_filter_id=12 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=3 app_id=0
     category_id=0 bandwidth_id=0 up_classid=3762532325007556608 dn_classid=0 source_nat_id=0 cluster_no
    de=1 inmark=0 nfqueue=0 scanflags=100 gateway_offset=88 max_session_bytes=0 drop_fix=0 ctflags=0 con
    nid=65546 masterid=2559926272 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_byt
    es=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A                          
                                                                                                        
    2016-08-31 15:46:47 0544021 IP  192.168.1.76. > 220.227.24.73. :proto ICMP: echo request seq 24860  
    0x0000:  4500 003c 57cf 0000 7f01 2cd1 c0a8 014c  E..<W.....,....L                                  
    0x0010:  dce3 1849 0800 ec3e 0001 611c 6162 6364  ...I...>..a.abcd                                  
    0x0020:  6566 6768 696a 6b6c 6d6e 6f70 7172 7374  efghijklmnopqrst                                  
    0x0030:  7576 7761 6263 6465 6667 6869            uvwabcdefghi                                      
    Date=2016-08-31 Time=15:46:47 log_id=0544021 log_type=Content_Filter log_component=Application_Filte
    r log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port2 inzone_id=
    1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.76 dest_ip=220.227.24.73 l4_
    protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=1 policytype=1 live_userid=0 userid=0 user_gp=0 ips
    _id=1 sslvpn_id=0 web_filter_id=12 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=3 app_id=0
     category_id=0 bandwidth_id=0 up_classid=3762532325007556608 dn_classid=0 source_nat_id=0 cluster_no
    de=1 inmark=0 nfqueue=0 scanflags=100 gateway_offset=88 max_session_bytes=0 drop_fix=0 ctflags=0 con
    nid=65546 masterid=2559697728 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_byt
    es=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A                          
                                                                                                        
    2016-08-31 15:46:48 0103021 IP 192.168.1.76.17500 > 255.255.255.255.17500 : proto UDP: packet len: 1
    51 checksum : 54103                                                                                 
    0x0000:  4500 00ab 3cab 0000 8011 3ba3 c0a8 014c  E...<.....;....L                                  
    0x0010:  ffff ffff 445c 445c 0097 d357 7b22 686f  ....D\D\...W{"ho                                  
    0x0020:  7374 5f69 6e74 223a 2032 3233 3238 3830  st_int":.2232880                                  
    0x0030:  3339 3033 3532 3433 3735 3136 3538 3930  3903524375165890                                  
    0x0040:  3838 3938 3331 3937 3036 3535 3131 3837  8898319706551187                                  
    0x0050:  2c20 2276 6572 7369 6f6e 223a 205b 322c  ,."version":.[2,                                  
    0x0060:  2030 5d2c 2022 6469 7370 6c61 796e 616d  .0],."displaynam                                  
    0x0070:  6522 3a20 2222 2c20 2270 6f72 7422 3a20  e":."",."port":.                                  
    0x0080:  3137 3530 302c 2022 6e61 6d65 7370 6163  17500,."namespac                                  
    0x0090:  6573 223a 205b 3439 3939 3635 3634 382c  es":.[499965648,                                  
    0x00a0:  2038 3537 3335 3938 365d 7d              .85735986]}                                       
    Date=2016-08-31 Time=15:46:48 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=
    Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4
     source_mac=dc:53:60:c7:b5:aa dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.76 dest_
    ip=255.255.255.255 l4_protocol=UDP source_port=17500 dest_port=17500 fw_rule_id=0 policytype=0 live_
    userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_i
    d=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7147837350284886016 dn_classi
    d=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes
    =0 drop_fix=0 ctflags=0 connid=0 masterid=1756382848 status=0 state=256 sent_pkts=N/A recv_pkts=N/A 
    sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A   
                                                                                                        
    2016-08-31 15:46:48 0103021 IP 192.168.1.76.17500 > 192.168.1.255.17500 : proto UDP: packet len: 151
     checksum : 4272                                                                                    
    0x0000:  4500 00ab 7654 0000 8011 3f52 c0a8 014c  E...vT....?R...L                                  
    0x0010:  c0a8 01ff 445c 445c 0097 10b0 7b22 686f  ....D\D\....{"ho                                  
    0x0020:  7374 5f69 6e74 223a 2032 3233 3238 3830  st_int":.2232880                                  
    0x0030:  3339 3033 3532 3433 3735 3136 3538 3930  3903524375165890                                  
    0x0040:  3838 3938 3331 3937 3036 3535 3131 3837  8898319706551187                                  
    0x0050:  2c20 2276 6572 7369 6f6e 223a 205b 322c  ,."version":.[2,                                  
    0x0060:  2030 5d2c 2022 6469 7370 6c61 796e 616d  .0],."displaynam                                  
    0x0070:  6522 3a20 2222 2c20 2270 6f72 7422 3a20  e":."",."port":.                                  
    0x0080:  3137 3530 302c 2022 6e61 6d65 7370 6163  17500,."namespac                                  
    0x0090:  6573 223a 205b 3439 3939 3635 3634 382c  es":.[499965648,                                  
    0x00a0:  2038 3537 3335 3938 365d 7d              .85735986]}                                       
    Date=2016-08-31 Time=15:46:48 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=
    Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4
     source_mac=dc:53:60:c7:b5:aa dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.76 dest_
    ip=192.168.1.255 l4_protocol=UDP source_port=17500 dest_port=17500 fw_rule_id=0 policytype=0 live_us
    erid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=
    0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7147837350284886016 dn_classid=
    0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0
     drop_fix=0 ctflags=0 connid=0 masterid=1756382848 status=0 state=256 sent_pkts=N/A recv_pkts=N/A se
    nt_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A     
                                                                                                        
    2016-08-31 15:46:48 0103021 IP 192.168.1.76.17500 > 255.255.255.255.17500 : proto UDP: packet len: 1
    51 checksum : 54103                                                                                 
    0x0000:  4500 00ab 3cac 0000 8011 3ba2 c0a8 014c  E...<.....;....L                                  
    0x0010:  ffff ffff 445c 445c 0097 d357 7b22 686f  ....D\D\...W{"ho                                  
    0x0020:  7374 5f69 6e74 223a 2032 3233 3238 3830  st_int":.2232880                                  
    0x0030:  3339 3033 3532 3433 3735 3136 3538 3930  3903524375165890                                  
    0x0040:  3838 3938 3331 3937 3036 3535 3131 3837  8898319706551187                                  
    0x0050:  2c20 2276 6572 7369 6f6e 223a 205b 322c  ,."version":.[2,                                  
    0x0060:  2030 5d2c 2022 6469 7370 6c61 796e 616d  .0],."displaynam                                  
    0x0070:  6522 3a20 2222 2c20 2270 6f72 7422 3a20  e":."",."port":.                                  
    0x0080:  3137 3530 302c 2022 6e61 6d65 7370 6163  17500,."namespac                                  
    0x0090:  6573 223a 205b 3439 3939 3635 3634 382c  es":.[499965648,                                  
    0x00a0:  2038 3537 3335 3938 365d 7d              .85735986]}                                       
    Date=2016-08-31 Time=15:46:48 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=
    Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4
     source_mac=dc:53:60:c7:b5:aa dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.76 dest_
    ip=255.255.255.255 l4_protocol=UDP source_port=17500 dest_port=17500 fw_rule_id=0 policytype=0 live_
    userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_i
    d=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=7147837350284886016 dn_classi
    d=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes
    =0 drop_fix=0 ctflags=0 connid=0 masterid=1756382848 status=0 state=256 sent_pkts=N/A recv_pkts=N/A 
    sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A   
                                                                                                        
    2016-08-31 15:46:52 0544021 IP  192.168.1.76. > 220.227.24.73. :proto ICMP: echo request seq 24861  
    0x0000:  4500 003c 57d2 0000 7f01 2cce c0a8 014c  E..<W.....,....L                                  
    0x0010:  dce3 1849 0800 ec3d 0001 611d 6162 6364  ...I...=..a.abcd                                  
    0x0020:  6566 6768 696a 6b6c 6d6e 6f70 7172 7374  efghijklmnopqrst                                  
    0x0030:  7576 7761 6263 6465 6667 6869            uvwabcdefghi                                      
    Date=2016-08-31 Time=15:46:52 log_id=0544021 log_type=Content_Filter log_component=Application_Filte
    r log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port2 inzone_id=
    1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.76 dest_ip=220.227.24.73 l4_
    protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=1 policytype=1 live_userid=0 userid=0 user_gp=0 ips
    _id=1 sslvpn_id=0 web_filter_id=12 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=3 app_id=0
     category_id=0 bandwidth_id=0 up_classid=3762532325007556608 dn_classid=0 source_nat_id=0 cluster_no
    de=1 inmark=0 nfqueue=0 scanflags=100 gateway_offset=88 max_session_bytes=0 drop_fix=0 ctflags=0 con
    nid=65546 masterid=2560341696 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_byt
    es=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A                          
                                                                                                        
    2016-08-31 15:46:57 0544021 IP  192.168.1.76. > 220.227.24.73. :proto ICMP: echo request seq 24862  
    0x0000:  4500 003c 57d5 0000 7f01 2ccb c0a8 014c  E..<W.....,....L                                  
    0x0010:  dce3 1849 0800 ec3c 0001 611e 6162 6364  ...I...<..a.abcd                                  
    0x0020:  6566 6768 696a 6b6c 6d6e 6f70 7172 7374  efghijklmnopqrst                                  
    0x0030:  7576 7761 6263 6465 6667 6869            uvwabcdefghi                                      
    Date=2016-08-31 Time=15:46:57 log_id=0544021 log_type=Content_Filter log_component=Application_Filte
    r log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port2 inzone_id=
    1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.76 dest_ip=220.227.24.73 l4_
    protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=1 policytype=1 live_userid=0 userid=0 user_gp=0 ips
    _id=1 sslvpn_id=0 web_filter_id=12 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=3 app_id=0
     category_id=0 bandwidth_id=0 up_classid=3762532325007556608 dn_classid=0 source_nat_id=0 cluster_no
    de=1 inmark=0 nfqueue=0 scanflags=100 gateway_offset=88 max_session_bytes=0 drop_fix=0 ctflags=0 con
    nid=65546 masterid=1271107648 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_byt
    es=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A                          
                                                                                                        
    2016-08-31 15:47:02 0544021 IP  192.168.1.76. > 220.227.24.73. :proto ICMP: echo request seq 24863  
    0x0000:  4500 003c 57d6 0000 7f01 2cca c0a8 014c  E..<W.....,....L                                  
    0x0010:  dce3 1849 0800 ec3b 0001 611f 6162 6364  ...I...;..a.abcd                                  
    0x0020:  6566 6768 696a 6b6c 6d6e 6f70 7172 7374  efghijklmnopqrst                                  
    0x0030:  7576 7761 6263 6465 6667 6869            uvwabcdefghi                                      
    Date=2016-08-31 Time=15:47:02 log_id=0544021 log_type=Content_Filter log_component=Application_Filte
    r log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port2 inzone_id=
    1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.76 dest_ip=220.227.24.73 l4_
    protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=1 policytype=1 live_userid=0 userid=0 user_gp=0 ips
    _id=1 sslvpn_id=0 web_filter_id=12 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=3 app_id=0
     category_id=0 bandwidth_id=0 up_classid=3762532325007556608 dn_classid=0 source_nat_id=0 cluster_no
    de=1 inmark=0 nfqueue=0 scanflags=100 gateway_offset=88 max_session_bytes=0 drop_fix=0 ctflags=0 con
    nid=65546 masterid=1756951424 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_byt
    es=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A                          
                                                                                                        
    2016-08-31 15:47:07 0544021 IP  192.168.1.76. > 220.227.24.73. :proto ICMP: echo request seq 24864  
    0x0000:  4500 003c 57d7 0000 7f01 2cc9 c0a8 014c  E..<W.....,....L                                  
    0x0010:  dce3 1849 0800 ec3a 0001 6120 6162 6364  ...I...:..a.abcd                                  
    0x0020:  6566 6768 696a 6b6c 6d6e 6f70 7172 7374  efghijklmnopqrst                                  
    0x0030:  7576 7761 6263 6465 6667 6869            uvwabcdefghi                                      
    Date=2016-08-31 Time=15:47:07 log_id=0544021 log_type=Content_Filter log_component=Application_Filte
    r log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port2 inzone_id=
    1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.76 dest_ip=220.227.24.73 l4_
    protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=1 policytype=1 live_userid=0 userid=0 user_gp=0 ips
    _id=1 sslvpn_id=0 web_filter_id=12 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=3 app_id=0
     category_id=0 bandwidth_id=0 up_classid=3762532325007556608 dn_classid=0 source_nat_id=0 cluster_no
    de=1 inmark=0 nfqueue=0 scanflags=100 gateway_offset=88 max_session_bytes=0 drop_fix=0 ctflags=0 con
    nid=65546 masterid=1271109312 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_byt
    es=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A                          
                                                                                                        
    2016-08-31 15:47:12 0544021 IP  192.168.1.76. > 220.227.24.73. :proto ICMP: echo request seq 24865  
    0x0000:  4500 003c 57d8 0000 7f01 2cc8 c0a8 014c  E..<W.....,....L                                  
    0x0010:  dce3 1849 0800 ec39 0001 6121 6162 6364  ...I...9..a!abcd                                  
    0x0020:  6566 6768 696a 6b6c 6d6e 6f70 7172 7374  efghijklmnopqrst                                  
    0x0030:  7576 7761 6263 6465 6667 6869            uvwabcdefghi                                      
    Date=2016-08-31 Time=15:47:12 log_id=0544021 log_type=Content_Filter log_component=Application_Filte
    r log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev=Port2 inzone_id=
    1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.76 dest_ip=220.227.24.73 l4_
    protocol=ICMP icmp_type=8 icmp_code=0 fw_rule_id=1 policytype=1 live_userid=0 userid=0 user_gp=0 ips
    _id=1 sslvpn_id=0 web_filter_id=12 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=3 app_id=0
     category_id=0 bandwidth_id=0 up_classid=3762532325007556608 dn_classid=0 source_nat_id=0 cluster_no
    de=1 inmark=0 nfqueue=0 scanflags=100 gateway_offset=88 max_session_bytes=0 drop_fix=0 ctflags=0 con
    nid=65546 masterid=2559994304 status=0 state=256 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_byt
    es=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A      


    Thanks,
    Kumar
          
  • 0 in reply to Ishwarsingh

    Hi Kumar,

    Create a new application filter policy and try again.

    Thanks

Reply Children
  • 0 in reply to sachingurung

    Hi Sachin,

    Thank you very much for the steps suggested earlier -at the moment my net is up & running. The allow & deny option is confusing in Sophos and I was unable to figure out as I am new to this device.

    Request you to review (allow & deny) the newly created app filter rule in the screenshots below and suggest if I have configured it properly. Mainly Allow & Deny:

    Scr-1

    Scr-2

    Scr-3


     

    Hope the above shown config is correct.

    Thanks,

    Kumar

  • 0 in reply to Ishwarsingh

    Hi Kumar,

    As I mentioned in my earlier post the default action should be allowed when you are trying to block specific application defined in the policy and allow the rest of all. If default is Deny, all the traffic will be blocked except the one which is allowed.

    We will wait for your feedback on Twitter.

    Thank you for choosing Sophos.