This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

new XG installs are causing ScreenConnect 'last connected' timer resets even though NO security services are enabled.

I have now set up two firewalls for two different clients who also use our screenconnect software on their machines for us to remotely connect for repair, diagnostics, etc. The screenconnect software on the client machine will regularly poll back to the screenconnect server (located in my office) to let the server know that it is available and online. This shows as a 'time connected' counter in the screenconnect dashboard. This has always been very stable, and has not been blocked or otherwise interfered with by any other firewall or security appliance. All clients that do not have sophos firewalls do not exhibit this behavior. However, the two XG (115 and 210) firewalls that I have installed in the last two days are causing that counter to reset every 5 minutes (I can see the activity in the screenconnect logs). Both firewalls are in gateway mode, directly connected to the ISP and have NO security services enabled yet. No AV, no IPS, No web filter...nothing. Just the default rule in the firewall that is put in place during the initial configuration wizard.

FYI, the client is set to relay out to the screenconnect server on port 80 and 443, so I don't understand why that would get reset every 5 minutes.

This thread was automatically locked due to age.

Parents

0 sachingurung over 8 years ago

Hi Paul,

Check #1 in my guide here. Capture drops on the destination/ source IP and port. If you do not see any drops, take a pcap and verify who generates the RESET packet.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Sam Segura over 8 years ago in reply to sachingurung

console> drop-packet-capture 'host 192.168.1.249'
[See packet capture below]

from the GUI

Any help interpreting this would be appreciated
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 8 years ago in reply to Sam Segura

Hi Sam,

These are general UDP drops on port 137 for Net Bios traffic. Can you describe to me how screen connect works. Is there any destination IP address on which we can capture dumps? I hope the screen connect clients are not used to connect to an internal system instead of a system connected on WAN.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Sam Segura over 8 years ago in reply to sachingurung

Thanks for replying back.

ScreenConnect (cloud version, aka SC) is a hosted service that I use for remote management of machines. I've traced my assigned SC server back to Amazon AWS servers. The only logs available to me only show disconnects/connects - very basic. I've spoken with SC tech support, no capture logs available

I'm hoping I used the correct BPF expression for the packet capture. I capture a simple internal server, just Dropbox running, nothing else.

In the GUI:

host 192.168.1.249

In the CLI above

drop-packet-capture 'host 192.168.1.249'

Snip from Audit log from my SC server (times are in GMT)

1/6/2017 4:15:09 PM   - IA-S03 (DropBox 249)   Event: Connected, Process: Guest, Participant: , Address: 24.240.246.42, Data:
1/6/2017 4:15:09 PM   - IA-S03 (DropBox 249)   Event: Disconnected, Process: Guest, Participant: , Address: 24.240.246.42, Data:
1/6/2017 4:10:09 PM   - IA-S03 (DropBox 249)   Event: Connected, Process: Guest, Participant: , Address: 24.240.246.42, Data:
1/6/2017 4:10:09 PM   - IA-S03 (DropBox 249)   Event: Disconnected, Process: Guest, Participant: , Address: 24.240.246.42, Data:

24.240.246.42 is the outside interface of the Sophos XG105w
Cancel
Vote Up 0 Vote Down

Cancel

0 Sam Segura over 8 years ago in reply to Sam Segura

PACKET CAPTURE

2017-01-06 10:35:01 0103021 IP 192.168.1.249.138 > 192.168.1.255.138 : proto UDP: packet len: 227 checksum : 42289
0x0000:  4500 00f7 31e9 0000 8011 82c4 c0a8 01f9  E...1...........
0x0010:  c0a8 01ff 008a 008a 00e3 a531 1102 9f8c  ...........1....
0x0020:  c0a8 01f9 008a 00cd 0000 2045 4a45 4243  ...........EJEBC
0x0030:  4e46 4444 4144 4443 4143 4143 4143 4143  NFDDADDCACACACAC
0x0040:  4143 4143 4143 4143 4143 4100 2045 4a45  ACACACACACA..EJE
0x0050:  4245 4446 4145 4243 4143 4143 4143 4143  BEDFAEBCACACACAC
0x0060:  4143 4143 4143 4143 4143 4142 4e00 ff53  ACACACACACABN..S
0x0070:  4d42 2500 0000 0000 0000 0000 0000 0000  MB%.............
0x0080:  0000 0000 0000 0000 0000 0000 0000 1100  ................
0x0090:  0033 0000 0000 0000 0000 00e8 0300 0000  .3..............
0x00a0:  0000 0000 0033 0056 0003 0001 0000 0002  .....3.V........
0x00b0:  0044 005c 4d41 494c 534c 4f54 5c42 524f  .D.\MAILSLOT\BRO
0x00c0:  5753 4500 0100 80fc 0a00 4941 2d53 3033  WSE.......IA-S03
0x00d0:  0000 0000 0000 0000 0000 0603 2390 8000  ............#...
0x00e0:  0f01 55aa 4d79 2062 7573 696e 6573 7320  ..U.My.business.
0x00f0:  7365 7276 6572 00                        server.
Date=2017-01-06 Time=10:35:01 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=138 dest_port=138 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2366021952 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:47:02 0101021 IP 192.168.1.249.138 > 192.168.1.255.138 : proto UDP: packet len: 227 checksum : 42288
0x0000:  4500 00f7 38a0 0000 8011 7c0d c0a8 01f9  E...8.....|.....
0x0010:  c0a8 01ff 008a 008a 00e3 a530 1102 9f8d  ...........0....
0x0020:  c0a8 01f9 008a 00cd 0000 2045 4a45 4243  ...........EJEBC
0x0030:  4e46 4444 4144 4443 4143 4143 4143 4143  NFDDADDCACACACAC
0x0040:  4143 4143 4143 4143 4143 4100 2045 4a45  ACACACACACA..EJE
0x0050:  4245 4446 4145 4243 4143 4143 4143 4143  BEDFAEBCACACACAC
0x0060:  4143 4143 4143 4143 4143 4142 4e00 ff53  ACACACACACABN..S
0x0070:  4d42 2500 0000 0000 0000 0000 0000 0000  MB%.............
0x0080:  0000 0000 0000 0000 0000 0000 0000 1100  ................
0x0090:  0033 0000 0000 0000 0000 00e8 0300 0000  .3..............
0x00a0:  0000 0000 0033 0056 0003 0001 0000 0002  .....3.V........
0x00b0:  0044 005c 4d41 494c 534c 4f54 5c42 524f  .D.\MAILSLOT\BRO
0x00c0:  5753 4500 0100 80fc 0a00 4941 2d53 3033  WSE.......IA-S03
0x00d0:  0000 0000 0000 0000 0000 0603 2390 8000  ............#...
0x00e0:  0f01 55aa 4d79 2062 7573 696e 6573 7320  ..U.My.business.
0x00f0:  7365 7276 6572 00                        server.
Date=2017-01-06 Time=10:47:02 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=138 dest_port=138 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=4108148736 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:47:02 0103021 IP 192.168.1.249.138 > 192.168.1.255.138 : proto UDP: packet len: 227 checksum : 42288
0x0000:  4500 00f7 38a0 0000 8011 7c0d c0a8 01f9  E...8.....|.....
0x0010:  c0a8 01ff 008a 008a 00e3 a530 1102 9f8d  ...........0....
0x0020:  c0a8 01f9 008a 00cd 0000 2045 4a45 4243  ...........EJEBC
0x0030:  4e46 4444 4144 4443 4143 4143 4143 4143  NFDDADDCACACACAC
0x0040:  4143 4143 4143 4143 4143 4100 2045 4a45  ACACACACACA..EJE
0x0050:  4245 4446 4145 4243 4143 4143 4143 4143  BEDFAEBCACACACAC
0x0060:  4143 4143 4143 4143 4143 4142 4e00 ff53  ACACACACACABN..S
0x0070:  4d42 2500 0000 0000 0000 0000 0000 0000  MB%.............
0x0080:  0000 0000 0000 0000 0000 0000 0000 1100  ................
0x0090:  0033 0000 0000 0000 0000 00e8 0300 0000  .3..............
0x00a0:  0000 0000 0033 0056 0003 0001 0000 0002  .....3.V........
0x00b0:  0044 005c 4d41 494c 534c 4f54 5c42 524f  .D.\MAILSLOT\BRO
0x00c0:  5753 4500 0100 80fc 0a00 4941 2d53 3033  WSE.......IA-S03
0x00d0:  0000 0000 0000 0000 0000 0603 2390 8000  ............#...
0x00e0:  0f01 55aa 4d79 2062 7573 696e 6573 7320  ..U.My.business.
0x00f0:  7365 7276 6572 00                        server.
Date=2017-01-06 Time=10:47:02 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=138 dest_port=138 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=4108148736 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:50:08 0101021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
0x0000:  4500 004e 38a2 0000 8011 7cb4 c0a8 01f9  E..N8.....|.....
0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
Date=2017-01-06 Time=10:50:08 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439710592 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:50:08 0103021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
0x0000:  4500 004e 38a2 0000 8011 7cb4 c0a8 01f9  E..N8.....|.....
0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
Date=2017-01-06 Time=10:50:08 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439710592 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:50:08 0101021 IP 192.168.1.249.64623 > 224.0.0.252.5355 : proto UDP: packet len: 32 checksum : 47231
0x0000:  4500 0034 04ca 0000 0111 1152 c0a8 01f9  E..4.......R....
0x0010:  e000 00fc fc6f 14eb 0020 b87f 3406 0000  .....o......4...
0x0020:  0001 0000 0000 0000 0669 7361 7461 7000  .........isatap.
0x0030:  0001 0001                                ....
Date=2017-01-06 Time=10:50:08 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=01:00:5e:00:00:fc l3_protocol=IP source_ip=192.168.1.249 dest_ip=224.0.0.252 l4_protocol=UDP source_port=64623 dest_port=5355 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439710592 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:50:08 0101021 IP 192.168.1.249.64623 > 224.0.0.252.5355 : proto UDP: packet len: 32 checksum : 47231
0x0000:  4500 0034 04cb 0000 0111 1151 c0a8 01f9  E..4.......Q....
0x0010:  e000 00fc fc6f 14eb 0020 b87f 3406 0000  .....o......4...
0x0020:  0001 0000 0000 0000 0669 7361 7461 7000  .........isatap.
0x0030:  0001 0001                                ....
Date=2017-01-06 Time=10:50:08 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=01:00:5e:00:00:fc l3_protocol=IP source_ip=192.168.1.249 dest_ip=224.0.0.252 l4_protocol=UDP source_port=64623 dest_port=5355 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439711232 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:50:08 0101021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
0x0000:  4500 004e 38a3 0000 8011 7cb3 c0a8 01f9  E..N8.....|.....
0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
Date=2017-01-06 Time=10:50:08 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439711552 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:50:08 0103021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
0x0000:  4500 004e 38a3 0000 8011 7cb3 c0a8 01f9  E..N8.....|.....
0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
Date=2017-01-06 Time=10:50:08 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=2439711552 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:50:09 0101021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
0x0000:  4500 004e 38a4 0000 8011 7cb2 c0a8 01f9  E..N8.....|.....
0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
Date=2017-01-06 Time=10:50:09 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=4095810688 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:50:09 0103021 IP 192.168.1.249.137 > 192.168.1.255.137 : proto UDP: packet len: 58 checksum : 37405
0x0000:  4500 004e 38a4 0000 8011 7cb2 c0a8 01f9  E..N8.....|.....
0x0010:  c0a8 01ff 0089 0089 003a 921d 9f8e 0110  .........:......
0x0020:  0001 0000 0000 0000 2045 4a46 4445 4246  .........EJFDEBF
0x0030:  4545 4246 4143 4143 4143 4143 4143 4143  EEBFACACACACACAC
0x0040:  4143 4143 4143 4141 4100 0020 0001       ACACACAAA.....
Date=2017-01-06 Time=10:50:09 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=137 dest_port=137 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=4095810688 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:59:02 0101021 IP 192.168.1.249.138 > 192.168.1.255.138 : proto UDP: packet len: 227 checksum : 42286
0x0000:  4500 00f7 3d38 0000 8011 7775 c0a8 01f9  E...=8....wu....
0x0010:  c0a8 01ff 008a 008a 00e3 a52e 1102 9f8f  ................
0x0020:  c0a8 01f9 008a 00cd 0000 2045 4a45 4243  ...........EJEBC
0x0030:  4e46 4444 4144 4443 4143 4143 4143 4143  NFDDADDCACACACAC
0x0040:  4143 4143 4143 4143 4143 4100 2045 4a45  ACACACACACA..EJE
0x0050:  4245 4446 4145 4243 4143 4143 4143 4143  BEDFAEBCACACACAC
0x0060:  4143 4143 4143 4143 4143 4142 4e00 ff53  ACACACACACABN..S
0x0070:  4d42 2500 0000 0000 0000 0000 0000 0000  MB%.............
0x0080:  0000 0000 0000 0000 0000 0000 0000 1100  ................
0x0090:  0033 0000 0000 0000 0000 00e8 0300 0000  .3..............
0x00a0:  0000 0000 0033 0056 0003 0001 0000 0002  .....3.V........
0x00b0:  0044 005c 4d41 494c 534c 4f54 5c42 524f  .D.\MAILSLOT\BRO
0x00c0:  5753 4500 0100 80fc 0a00 4941 2d53 3033  WSE.......IA-S03
0x00d0:  0000 0000 0000 0000 0000 0603 2390 8000  ............#...
0x00e0:  0f01 55aa 4d79 2062 7573 696e 6573 7320  ..U.My.business.
0x00f0:  7365 7276 6572 00                        server.
Date=2017-01-06 Time=10:59:02 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev=Sophos inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=138 dest_port=138 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=3039721024 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

2017-01-06 10:59:02 0103021 IP 192.168.1.249.138 > 192.168.1.255.138 : proto UDP: packet len: 227 checksum : 42286
0x0000:  4500 00f7 3d38 0000 8011 7775 c0a8 01f9  E...=8....wu....
0x0010:  c0a8 01ff 008a 008a 00e3 a52e 1102 9f8f  ................
0x0020:  c0a8 01f9 008a 00cd 0000 2045 4a45 4243  ...........EJEBC
0x0030:  4e46 4444 4144 4443 4143 4143 4143 4143  NFDDADDCACACACAC
0x0040:  4143 4143 4143 4143 4143 4100 2045 4a45  ACACACACACA..EJE
0x0050:  4245 4446 4145 4243 4143 4143 4143 4143  BEDFAEBCACACACAC
0x0060:  4143 4143 4143 4143 4143 4142 4e00 ff53  ACACACACACABN..S
0x0070:  4d42 2500 0000 0000 0000 0000 0000 0000  MB%.............
0x0080:  0000 0000 0000 0000 0000 0000 0000 1100  ................
0x0090:  0033 0000 0000 0000 0000 00e8 0300 0000  .3..............
0x00a0:  0000 0000 0033 0056 0003 0001 0000 0002  .....3.V........
0x00b0:  0044 005c 4d41 494c 534c 4f54 5c42 524f  .D.\MAILSLOT\BRO
0x00c0:  5753 4500 0100 80fc 0a00 4941 2d53 3033  WSE.......IA-S03
0x00d0:  0000 0000 0000 0000 0000 0603 2390 8000  ............#...
0x00e0:  0f01 55aa 4d79 2062 7573 696e 6573 7320  ..U.My.business.
0x00f0:  7365 7276 6572 00                        server.
Date=2017-01-06 Time=10:59:02 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=7 source_mac=f8:db:88:fe:90:f9 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.249 dest_ip=192.168.1.255 l4_protocol=UDP source_port=138 dest_port=138 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=3039721024 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

0 sachingurung over 8 years ago in reply to Sam Segura

Hi Sam,

Try this, configure a plain FW-rule; all the filters set to NONE for a specific source IP address. LAN(192.168.1.249)> ANY> WAN.

Do you discover any sort of disconnection on this source after this?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Sam Segura over 8 years ago in reply to sachingurung

ScreenConnect continues to disconnect.

Forwarding rule placed on top:

Source Zone: WAN | Allowed Client Networks: Any

Destination Host/Network: 24.240.246.46 | Forward Type: Everything

Forwarded to, Protected Server (internal IP 192.168.1.249)

Intrusion Prevention: None, Traffic Shaping: None | Synchronized Security: No Restriction | Minimum Destination HB Permitted: No Restriction

Routing: Check ON: Rewrite source address (Masquerading) | Use Outbound Address (NAT policy using 24.240.246.46) | Check ON: Create Reflexive Rule

---------------------------------

Test server on IP 192.168.1.249

Correct public IP for outbound traffic detected (GRC Shields Up)

GRC Sheilds Up report:
Cancel
Vote Up 0 Vote Down

Cancel
0 Sam Segura over 8 years ago in reply to Sam Segura

netstat -a -n

Text file with netstat capture
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 8 years ago in reply to Sam Segura

Hi Sam,

This is a DNAT rule I suppose, if you are trying to connect to a remote system hosted externally from a system behind XG then, configure a LAN to WAN rule with NONE filter. If there is any misunderstanding, I would be glad to realize it now than later.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sam Segura over 8 years ago in reply to sachingurung

These are the choices I'm given, in version 16 of SFOS

When creating the rule, I choose, Business Application Rule

Then select DNAT/Full NAT / Load Balancing
Cancel
Vote Up 0 Vote Down

Cancel
0 sachingurung over 8 years ago in reply to Sam Segura

Hi Sam,

I read your initial question again, the screen connect server is situated in your network; the question is that, is XG hosting these servers? The plain FW-rule was meant to be configured on the client's end which is user/network rule placed on the TOP with NONE filters defined.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Sam Segura over 8 years ago in reply to sachingurung

ScreenConnect (Cloud version) the SC server is hosted on the Amazon AWS data center. The ScreenConnect Clients are installed on the customer's servers behind the XG firewall - at the customer's business location.

The plain FW-rule was created on the XG at the customer's site. I don't have access to the AWS datacenter, this is cared for by the ScreenConnect company.

Confirmed, the plain FW-rule is on on the TOP or highest position, above all other rules
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Sam Segura over 8 years ago in reply to sachingurung

ScreenConnect (Cloud version) the SC server is hosted on the Amazon AWS data center. The ScreenConnect Clients are installed on the customer's servers behind the XG firewall - at the customer's business location.

The plain FW-rule was created on the XG at the customer's site. I don't have access to the AWS datacenter, this is cared for by the ScreenConnect company.

Confirmed, the plain FW-rule is on on the TOP or highest position, above all other rules
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 sachingurung over 8 years ago in reply to Sam Segura

Hi Sam,

I still don't see a Plain FW-rule on TOP! I see a WAN to LAN FW-rule. Check the screenshot for a glimpse of how the FW-rule must look and be placed.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Adam Hiramiya over 8 years ago in reply to sachingurung

I'm currently testing the XG and have noticed the same behaviour, creating a ANY ANY rule on top did not seem to make a difference, I've since changed the rule to be ANY->Known IP and it also does not help the behaviour, but is clearly the rule being used as the traffic count increases and a packet capture in the GUI shows this rule ID being used - is there any way to download these webgui packet captures as regular pcap files?

The rule:

Entries on the firewall log (from the log viewer) show that this is reliably every 5 minutes

Which is also reflected in the connection timeline on our ScreenConnect server - the one here showing 13 minutes was a connection bypassing the XG

While the client was connected, only a few packets went through the XG displaying only 3 lines in the packet capture GUI. Once the connection dropped and re-established the packet capture page count jumped up to 19! This probably isn't very informative (surely there's a way to export this as a pcap?) but here is a sample of the packet capture, which does show some packets hitting a different rule ID for some reason

To clarify info on the IPs above:
172.16.16.30 - client machine
172.16.16.16 - XG LAN Port1
10.0.3.15 - XG WAN Port2
***.99 - ScreenConnect server

Hope this somehow helps us all get to the bottom of this one!
Cancel
Vote Up 0 Vote Down

Cancel