Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 10884 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to determine why the IPS dropped traffic

BryonAdams

Hello,

  I noticed a problem accessing a website, slickdeals.net, while behind my Sophos XG firewall (v15 still). I don't have many rules (just the one from initial setup to let connections back in that I request and one for SSH to my Raspberry Pi) so I'm not sure why I had trouble accessing the site. I checked through the web filter and didn't notice anything other than "Accept" for traffic for the website, but when I looked at the IPS log it showed dropped traffic from the IP slickdeals.net was resolving to. Is there a way for me to view what the IPS took issue with? I'm a bit new to firewalls so I hope this isn't just me being blind. Below is some what I found while trying to get to the site. Interestingly, browsing with https let me reach the site and now I don't appear to have trouble getting there on the device afterwards (other devices still have this trouble though). The last 6 of those fields in that table aren't actually there in the UI, no idea what's generating them.


[bryon@blaptop ~]$ curl -v slickdeals.net
* Rebuilt URL to: slickdeals.net/
*   Trying 192.225.209.8...
* Connected to slickdeals.net (192.225.209.8) port 80 (#0)
> GET / HTTP/1.1
> Host: slickdeals.net
> User-Agent: curl/7.47.1
> Accept: */*
>
< HTTP/1.1 504 Timeout while reading response from Server
< Date: Fri, 21 Oct 2016 00:00:15 GMT
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset="UTF-8"
< Content-Length: 0
< Accept-Ranges: none
< Via: HTTP/1.1 sophos.http.proxy:3128
< Connection: close
<
* Closing connection 0

2016-10-20 20:06:45
Signatures
Drop
-
192.225.209.8 :TCP(80)
192.168.10.111 :TCP(36779)
1160229070
Squid Long String Header Processing Assertion Failure
Misc
BSD,Linux,Mac,Solaris,Unix,Windows
Server
1
07002
2016-10-20 20:06:34
Signatures
Drop
-
192.225.209.8 :TCP(80)
192.168.10.111 :TCP(36768)
1160229070
Squid Long String Header Processing Assertion Failure
Misc
BSD,Linux,Mac,Solaris,Unix,Windows
Server
1
07002
2016-10-20 20:06:21
Signatures
Drop
-
192.225.209.8 :TCP(80)
192.168.10.111 :TCP(36764)
1160229070
Squid Long String Header Processing Assertion Failure
Misc
BSD,Linux,Mac,Solaris,Unix,Windows
Server
1
07002
2016-10-20 20:01:34
Signatures
Drop
-
192.225.209.8 :TCP(80)
192.168.10.103 :TCP(36644)
1160229070
Squid Long String Header Processing Assertion Failure
Misc
BSD,Linux,Mac,Solaris,Unix,Windows
Server
1
07002
2016-10-20 19:59:13
Signatures
Drop
-
192.225.209.8 :TCP(80)
192.168.10.111 :TCP(36506)
1160229070
Squid Long String Header Processing Assertion Failure
Misc
BSD,Linux,Mac,Solaris,Unix,Windows
Server
1
07002
2016-10-20 19:49:37
Signatures
Drop
-
192.225.209.8 :TCP(80)
192.168.10.111 :TCP(36205)
1160229070
Squid Long String Header Processing Assertion Failure
Misc
BSD,Linux,Mac,Solaris,Unix,Windows
Server
1
07002
2016-10-20 19:49:31
Signatures
Drop
-
192.225.209.8 :TCP(80)
192.168.10.111 :TCP(36203)
1160229070
Squid Long String Header Processing Assertion Failure
Misc
BSD,Linux,Mac,Solaris,Unix,Windows
Server
1
07002
             


This thread was automatically locked due to age.
  • 0

    Bryon,

    from the even you attached, IPS is blocking "Squid Long String Header Processing Assertion Failure".

    In order to get on that website, clone the Policy you are using (should be LAN to WAN) and remove the "Squid Long String Header Processing Assertion Failure" . You will find it under "Misc" Category. Select ALL and use the search to find the signature. If you are not able to remove it from the policy (because there are a lot of them), change the default action to allow or disable).

  • 0 in reply to lferrara

    Luk,

        I'm having trouble finding that "Misc" category. Am I looking under the Policies section on the left hand side? Bear in mind I'm still on v15 though I plan on upgrading this weekend provided I don't forget. This is the policy I'm looking at in the attached picture. I went and tried to create a new "User/Network" rule but I did not see the "Misc" category there either.

     

     

  • +1 in reply to BryonAdams

    Bryon,

    Misc category is inside IPS signatures, so you will not find it inside Firewall Rules. Update the Xg to v16 and then go to Intrustion Prevention > IPS Policies and edit the IPS policy you are using on that Firewall Rule. Remember that some built-in ips policy cannot be removed/edit. The best choice is to create a new IPS policy and remove/add the signature you need.

    Also do not use "any" as service inside your firewall rule, but try to be more clean and allow only needed traffic.

    Thanks

  • 0 in reply to lferrara

    Looking for the update now, though I'm having trouble figuring out which firmware I need. I'm running the home version and have firmware: SFVH (SFOS 15.01.0 MR-3). When checking the release table at https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-01-1-released I don't see a SFVH version so I'm not sure which I'd need to download (110, 210, 300?). Am I looking in the wrong place or is there not a version available for home yet? Nothing shows up when I check for updates from my firewall's web UI but I figured that was expected for the home version.

    I left it at ANY ANY out of the box since I'm just using this for home. I have fixing that on my list of things to do and have an idea of everything I'll need to explicitly allow, just haven't gotten around to it yet.

    *edit: Found the firmware using my serial. Will update, grab dinner, and try your suggestion. Thanks for your patience, this is literally the first firewall I've tried to manage =)

  • 0 in reply to lferrara

    Luk,

        It looks like after updating to v16 the site loads without any trouble. It's much easier to navigate around v16 as well! I'll get to work on making a better rule to replace that default rule I have. I'll have some digging around to do to learn where everything is but it looks a bit more straight forward than before. I did go through and find the signature, though I didn't remove it since it wasn't triggering anymore.

    Thank you for your patience with me, enjoy the rest of the weekend!

    Regards,

      Bryon