Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 30 replies
  • Answers 3 answers
  • Subscribers 30 subscribers
  • Views 54705 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application filter for NTP

jamesharper

I have various rules for users with different time restrictions, and then a final rule to always allow various sites and services.

I have added an application policy called "Always Allowed" which includes the application "NTP". It isn't working though.

The application log shows the destination port of 123, but no Application Category or Application, and an Action of Denied. The Policy ID is my catchall rule, and the Message ID is 17051. I'm guessing that port 123 isn't getting correctly detected as NTP and so is being blocked.

The particulars of my rule are:

Source Zone / Network / Time: LAN / Any / All the time

Dest Zone / Network / Services: WAN / Any / Any

Match known users: unticked

Malware scanning: Only HTTP ticked

Intrusion Policy: None

Traffic Shaping Policy: None

Web Policy: None (I have tried Allow All too)

Application Policy: Always Allowed (my rule that includes NTP)

Any idea why this isn't working?

thanks

James



This thread was automatically locked due to age.
Parents
  • 0

    Hi James,

    what have you setup as your NTP sites, test you can access them using the XG tools?

    Ian

  • 0 in reply to rfcat_vk

    NTP works if my device is covered by the for the default Allow All applications rule, just not with my application rule that only allows NTP. And the Application Log shows that port UDP/123 isn't even being detected as NTP.

  • 0 in reply to jamesharper

    James,

    Web and Applications filter should be used only on http/https traffic because XG manages this traffic by inspecting the encapsulated traffic inside the HTTP/HTTPS. For controlling other not-http/s traffic, separate firewall rule must be used.

    So:

    • A network rule for not-http/s traffic where none is used for Web and Application filters fields.
    • A network rule where only http/s traffic is allowed, scanned and controlled by Web and App filters.

    Regards

  • 0 in reply to lferrara

    Hi Iferrara,

    That makes no sense. Why can I create an application rule for NTP if I can't actually use it? There are application definitions for all sorts of non-HTTP(S) traffic.

    James

  • 0 in reply to jamesharper

    James,

    Applications and Web Filters are used to manage only http/s traffic or traffic that is encapsulated inside http/s traffic. Allowing NTP service (udp 123) is done via a network firewall rule without App or Web filters applied. NTP should not be even inside the list of Applications (Maybe a Sophos Mistake).

    Regards

  • 0 in reply to jamesharper

    I'm with you on this one James.

    It seems the Application rules on XG are both misunderstood and bug-laden. I've noticed some application rules that seem to have ZERO effect (IRC for one) and others (SSH) that work fine. Unfortunately, the only way to identify which application definitions actually work is to test each one. Fun.

    Anyway, a work-around would be to create a single firewall rule at the top of your chain that allows any traffic from LAN to WAN where the destination protocol is NTP. Granted, this is just using TCP/port combinations rather than protocol/packet inspection, but should be a viable option.

Reply
  • 0 in reply to jamesharper

    I'm with you on this one James.

    It seems the Application rules on XG are both misunderstood and bug-laden. I've noticed some application rules that seem to have ZERO effect (IRC for one) and others (SSH) that work fine. Unfortunately, the only way to identify which application definitions actually work is to test each one. Fun.

    Anyway, a work-around would be to create a single firewall rule at the top of your chain that allows any traffic from LAN to WAN where the destination protocol is NTP. Granted, this is just using TCP/port combinations rather than protocol/packet inspection, but should be a viable option.

Children
  • 0 in reply to Gary Parr

    Hi James and Gary,

    I still do not understand few things:

    • Why do you use Application filter to block/allow not-http/s traffic?
    • If your not-http/s traffic is not blocked, I guess you are not having a default deny rule or you simply use a firewall rule Lan to WAN where service is any and action is allowed?

    As I wrote many times in this thread, Application filters is able to block/filter http/s traffic because many Products are encapsulating their SW inside Http/s tunnel and so if an application firewall is not used, encapsulated traffic is not filtered.

    NTP, IRC and other not-http/s applications should not be into Application filters. It is like you try to block not-http/s traffic using Web Filters.

    , can you investigate why inside the Application filters there are not-http/s applications?

    Here Users are use it in the wrong way.

    Thanks