Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 11213 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Network rule with application filter allows everything

JeffKloet

I want to have a network rule that specifically allows Youtube.  I've created an application filter that allows only the individual Youtube related applications and have applied it to a network rule in the 'Application Control' section.

I have observed that this rule allows all traffic ... not just Youtube.  What's really odd is that no events are generated for this or following rules in either the Application or Web Filter log.

If I change the action of the Youtube application filter to deny, the policy works as expected.  It blocks the youtube traffic and subsequent rules are evaluated properly.  Events in the Application and Web Filter logs are generated and reflect the behaviour.

I'm running SFOS 15.01.0 MR-3.  

What could I be doing wrong?

Thanks, Jeff K



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    Thanks.  I'm not doing any decryption right now.  I'm tying the upgrade first.  When I attempt to upload the v16 firmware, I get the message "New firmware could not be uploaded.  Please refer to online help for possible reasons.  How do I figurer out what the issue is?  thanks.

  • 0 in reply to JeffKloet

    Are you using an appliance?

    You can downlod the proper firmware version from your Sophos Account > View Network devices.

    Regards

  • 0 in reply to lferrara

    I'm running the software firewall.  I downloaded the firmware ( SW-SFOS_16.01.1.SFW-202.gpg ) from my Sophos account as you suggested ... it is slightly newer than the one I grabbed earlier.  I get the same result when I try to upload the firmware:  "New Firmware could not be uploaded. Please refer to online help for possible reasons".

    Maybe a space issue?

  • 0 in reply to JeffKloet

    Hello Jeff,

    Please SSH to the appliance and run the following commands on the console and share the output. 

    Note: please strike out the appliance Key/IP Address in the screenshot.

    1. system diag show version-info

    2. system diag show disk

    Regards,

     

  • 0 in reply to varunparikh

    It doesn't look like a space issue.

     

    console> system diagnostics show ver

    Serial Number:                  c01001x---------
    Device-Id:                      4882e9fa-------------
    Appliance Model:                SFVH
    Firmware Version:               SFOS 15.01.0 MR-3
    Firmware Build:                 447
    Firmware Loader version:        0x00000006
    HW version:                     SO01
    Config DB version:              15.060
    Signature DB version:           15.060
    Report DB version:              15.060
    Webcat Signature version:       0.0.1.36
    Web Proxy version:              HTTP-Proxy.1f718b7c8
    SMTP Proxy version:             1.0.6.4
    POP/IMAP Proxy version:         1.0.0.3.4
    Logging Daemon version:         0.0.0.17
    AP Firmware:                    5.0.001
    ATP:                            1.0.0106
    Avira AV:                       1.0.17072
    Authentication Clients:         1.0.0018
    IPS and Application signatures: 3.13.06
    RED Firmware:                   1.0.004
    Sophos AV:                      1.0.10114
    SSLVPN Clients:                 1.0.005
    WAF:                            1.0.0006
    Hot Fix version:                N.A

    console> system diag show disk
    Partition        Utilization(%)
    ===============================
    configuration        15%
    content               3%
    report                2%
    console>

  • 0 in reply to JeffKloet

    can i do a clean install from the iso and restore my config from backup?

  • 0 in reply to JeffKloet

    Of course you can!

    The configure will be imported and upgrades automatically.

    :-)

  • 0 in reply to lferrara

    I've updated to the lastest software firewall version, SFOS 16.01.2. I'm seeing the same behaviour.

    I create a firewall rule and apply an application filter to it.  The "skype" rule below ends up allowing all traffic and nothing is logged.... should it do that?

     

    thanks, Jeff K

  • 0 in reply to JeffKloet

    Jeff,

    Thanks for the screenshots.

    Make sure that this rule is the first matched; make sure you authenticate in some way because the policy is applied only to matched users (or remove match users from the firewall rule); when you create an application filter from scratch make to clone it from "deny all" and add only skype.

    Regards

  • 0 in reply to lferrara

    Luk,

    I created a 'skype' application filter using the 'deny all' template.  The behaviour of the firewall rule now appears to block everything ... presumably it would allow skype but I don't think it's classifying the skype traffic properly.

    I'll ask this question instead.  How would you build a rule to specifically classify skype traffic for the purpose of permitting the traffic?  Non-skype traffic should be ignored by this rule so it can be evaluated by subsequent rules.

    Thanks!
    Jeff K