Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 12646 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I work out what is getting blocked

Daniel Bingham

Hi,

I am having issues with my kids network. I have a heap of the usual categories blocked to try and keep them safe but have allowed games for their iPads.

I have the Sophos Authentication agent and certificate loaded onto their iPads.

They have a game called Minion Rush that connects to *.gameloft.com

In the web content logs, I get all green allows and no red blocks at all. However the game reports that there is no internet connection present.

If I go over to the "parents" network which is far more relaxed, it works fine. 

This is the same for the App store too.

The logging is showing absolutely no blocks at all.

Can somebody please advise what I am doing wrong?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    Thanks once again for helping out Luk.

     

    My issue is that here is one of the drop packet captures:

    • 2017-07-02 15:04:20 0101021 IP 192.168.44.2.50881 > 103.232.1.22.443 : proto TCP: S 870397542:870397542(0) win 65535 checksum : 1590
    • 0x0000:  4500 0040 6377 4000 3f06 8298 c0a8 2c02  E..@cw@.?.....,.
    • 0x0010:  67e8 0116 c6c1 01bb 33e1 3666 0000 0000  g.......3.6f....
    • 0x0020:  b002 ffff 0636 0000 0204 05b4 0103 0305  .....6..........
    • 0x0030:  0101 080a 1f25 8935 0000 0000 0402 0000  .....%.5........
    • Date=2017-07-02 Time=15:04:20 log_id=0101021
    • log_type=Firewall
    • log_component=Firewall_Rule
    • log_subtype=Denied log_status=N/A
    • log_priority=Alert duration=N/A in_dev=Port2 out_dev=Port3 inzone_id=1 outzone_id=2 source_mac=5c:ad:cf:b7:a6:84 dest_mac=00:0c:29:32:9c:27 l3_protocol=IP source_ip=192.168.44.2 dest_ip=103.232.1.22 l4_protocol=TCP source_port=50881 dest_port=443
    • fw_rule_id=0
    • policytype=0
    • live_userid=0
    • userid=0
    • user_gp=0
    • ips_id=0
    • sslvpn_id=0
    • web_filter_id=0
    • hotspot_id=0
    • hotspotuser_id=0
    • hb_src=0
    • hb_dst=0
    • dnat_done=0
    • proxy_flags=0
    • icap_id=0
    • app_filter_id=0
    • app_category_id=0
    • app_id=0
    • category_id=0
    • bandwidth_id=0
    • up_classid=0
    • dn_classid=0
    • source_nat_id=0
    • cluster_node=0
    • inmark=0x0
    • nfqueue=0
    • scanflags=0
    • gateway_offset=0
    • max_session_bytes=0
    • drop_fix=0
    • ctflags=0
    • connid=55025664
    • masterid=0
    • status=256
    • state=1
    • sent_pkts=N/A
    • recv_pkts=N/A
    • sent_bytes=N/A
    • recv_bytes=N/A
    • tran_src_ip=N/A
    • tran_src_port=N/A
    • tran_dst_ip=N/A
    • tran_dst_port=N/A

     

     

    To me there's a lot of "0" which makes me think that for example fw_rul_id=0 therefore wasn't blocked. The only "1" I can see is "state" but this isn't exactly helping me in the right direction just yet and the URL you sent states how to run the capture but doesn't elaborate on reading it.

  • +1 in reply to Daniel Bingham

    Daniel,

    log id is : 0101021 which means the traffic is dropped because a Firewall rule does not exists. I would suggest you to put the url or the destination IP inside the Web > Exceptions. Try with checking HTTPS decryption and Policy check.

    Regards

  • 0 in reply to lferrara

    Thanks Luk,

     

    Well as a matter of fact, it appears to be under the firewall - Yes but Application control set to block generally unwanted apps. The logging didn't state this at all, it was just by chance that I turned everything to allow and worked back.

    I saw a post from you regarding V17 and Sophos' motto about "Security made simple" I couldn't agree with you more on them having to make these logs easier to read! Yes I may be running a home XG, however I spend over $30,000AUD per year with Sophos on annual maintenance and there is NO WAY that I would be moving away from our SG appliances for the XG with it in its current form. I love the XG over the SG for home use as I just find it way more stable than my SG was on ESXi but running a XG in a corp environment would require my system administrator to be 100% network administration just to maintain a XG.

    I appreciate your help, I am now onto running the drop-packet comment to ascertain why the App store works on the "Parents" rule but not the "Kids" rule.

     

    Thanks in advance

  • 0 in reply to Daniel Bingham

    Daniel,

    feel free to add your comments to all posts and bring your experience. XG is still "rough". Logging will be improved on v17 and v17 beta should be far away (agust/september). SG is simple and works as expected. Even IT Manager can manage it.

    I am sure Sophos will surprise us with v17 and v18, otherwise....customers leave Sophos and move to another vendor. This is simple!