Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 30 replies
  • Answers 3 answers
  • Subscribers 30 subscribers
  • Views 54705 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application filter for NTP

jamesharper

I have various rules for users with different time restrictions, and then a final rule to always allow various sites and services.

I have added an application policy called "Always Allowed" which includes the application "NTP". It isn't working though.

The application log shows the destination port of 123, but no Application Category or Application, and an Action of Denied. The Policy ID is my catchall rule, and the Message ID is 17051. I'm guessing that port 123 isn't getting correctly detected as NTP and so is being blocked.

The particulars of my rule are:

Source Zone / Network / Time: LAN / Any / All the time

Dest Zone / Network / Services: WAN / Any / Any

Match known users: unticked

Malware scanning: Only HTTP ticked

Intrusion Policy: None

Traffic Shaping Policy: None

Web Policy: None (I have tried Allow All too)

Application Policy: Always Allowed (my rule that includes NTP)

Any idea why this isn't working?

thanks

James



This thread was automatically locked due to age.
Parents
  • 0

    Hi James,

    Looking at your FW-rule description, I can see all the Services are Allowed. I don't see a reason why the NTP is blocked when the services are open and Application Filter tells XG to Allow All. If you suspect that Application Filter is blocking NTP services then check, Log Viewer > Application Filter; it will only log Denied Traffic. This will give you a general idea if the Application Filter is doing a false positive and we could raise a request to fix that.

    Thanks

  • 0 in reply to sachingurung

    can you explain in few lines how to properly use the Application filter?

    I guess that in the Application lists there are some Apps that should not be there. Can you check internally and reply here back.

    Thanks

  • 0 in reply to lferrara

    UTM does non-HTTP/HTTPS as well. I just checked, there are application definitions for things like DHCP.  Definitions like Clash of Clans probably (I don't know for sure) apply to the higher level ports they connect to the game servers with.

     

    In scenario 6, the traffic is blocked by the firewall.  The application filter does not come into play.  An application filter Allow cannot override a firewall Block.

     

    Let me rephrase 2 more ways:

    1) In order for HTTPS traffic to be allowed it must be allowed by all of these systems (Firewall, Category, Certificate, Antivirus, Application) and if any one of those systems says Blocked then the traffic is blocked.  In order for NTP traffic to be allowed it must be allowed by all of these systems (Firewall, Application) and if any one of those systems says Blocked then the traffic is blocked.

    2) Traffic passes through a series of filters, in order.  Each filter has the ability to block the traffic, or allow it through its own filter and on to the next filter.  A packet on port 123 (which is what NTP uses) arrives with a particular source and destination.  The firewall tries to find a firewall rule that says matches that source, destination, and port.  If no firewall rules are matched the packet is dropped.  If a firewall rule does match then that rule is selected and it looks at the configured Application Filter for that firewall rule.  The IPS then looks at the packet on port 123 and it can apply its own filter about whether that packet is NTP or not and whether to drop it or to pass through its filter.  Possibly after IPS there may be other filters.

    One point in (2) that explains this specific scenario.  Lets say you have 5 rules, each of them have different Application Filters.  None of the rules apply to port 123.  Given that no firewall rule matches, how would the system even know what application filter you wanted?  You must have a matching firewall rule before you can even choose which policy that IPS applies.

  • 0 in reply to jamesharper

    James,

     

    There is hope. I have no idea why this started working. I just know that it did.

     

     

    Could it be this? 

     

    [^o)]

  • 0 in reply to Michael Dunn

    Thanks Michael.

    Reading the scenario 6 again gave me the idea why traffic is blocked (because the Application filter exists but it is not attached to any firewall rule). Sorry but it was not clear for me the scenario 6.

    I know how the packets are inspected and how the flow works.

    So in terms of Application filter, this is something newer and should be improved. I mean, if the application filter is used to allow/block application (even non-http/s), you should add more and more application inside the filter. For example, by creating application for Office365, Playstation games, etc...instead of using Firewall rules.

    At the moment if a certain application is allowed, on XG admins can get mad because allowed Applications are not even logged. So imagine 20/30 rules with each one with its own Application filters, finding which App and which firewall rules (because combination of them can exist) can be very hard to debug.

    So you should log even allowed applications, as UTM9 does or find a proper way to give us more log without using tcpdump.

    Thanks

  • 0 in reply to lferrara

    I'm not the one who is determining which applications should be included or not.  But if you think there are applications that should be added, feel free to raise that request.  But let me challenge you on your examples, lets say Office365.

    Can you give me a real world example where you would ever create a Application Filter with a rule that would Allow Office365?  Remember, an application Allow rule will do nothing to allow Office365 unless you also have an application rule that blocks Office365.

    Can you give me a real world example where you would ever create a Application Filter with a rule that would Block Office365?  Is there a business need to ever do this?

    If you want to know about application detection (not enforcement), as far as I know any firewall rule that includes any Application Filter (such as Allow All) will mark and log all traffic that successfully gets through that firewall rule.  If you find that there are applications that the XG supports in the list that are not being logged, it could be that they are not logged because they are allowed via a rule that does not contain an Application Filter, or it could be that they are not logged because the traffic is not matching any firewall rule and is blocked.

    If you want to know about applications that the firewall is blocking, you need to use tcpdump.  IPS / Application Filter cannot tell you because it was dropped before it got there.

    Remember - the Application Filter is used to Block applications that are making it through your firewall.  It is not used to Allow applications.  Therefore the application detection is only used on traffic that is allowed via a firewall rule, where that firewall rule has an application filter assigned.

  • 0 in reply to Michael Dunn

    Michael,

     

    Thank you for taking the time to jump in and explain a few things. This has helped clarify some of the expected behavior. That said, there is some very inconsistent (buggy) behavior in the way the Application Filter works within XG.

    The three firewall rules in the above screenshot correspond to your scenarios 1,2, and 4 using LDAP as the test protocol.  I skipped 3 for no good reason other than I missed it.  Anyway, scenario 1 and 2 are as expected but scenario 4 failed miserably.

    The application filter log above shows the denied result of scenario 2 on the bottom, which was expected. The FW rule allowed but filter denied LDAP protocol specifically. The top line of the log however is the result of scenario 4. The cloned FW rule was given an application filter which was base deny and explicit LDAP allow. In this instance, the LDAP traffic was not even identified by XG as being LDAP traffic and was blocked in contradiction to the application filter.

    This misbehavior is consistent with what I've seen trying to test NTP traffic. When the application filter is set to deny NTP it identifies NTP on port 123 correctly and blocks the traffic. When set to allow NTP traffic, XG does not recognize NTP and blocks the traffic anyway.

    I'm not trying to pick apart XG or be difficult... just think we've identified a bug in the application filter and trying to help understand it.

  • 0 in reply to Michael Dunn

    Thanks Michael....however allowed Apps are not moniterd. XG Application filters log only blocked Apps.

    Imagin you have a firewall rule where the Application filter is deny all but allow few application. How can users determine if that App is allowed and which App is allowing it?

    At least this happens at the moment with current version. and replied many times that XG logs only denied App and not allowed one.

    Anyway, I appreciate yours replies here...even if it is not your topic!

  • 0 in reply to Gary Parr

    It's not working for me, even with that pattern update.

    I have an application filter with a default of "Allow", but with a rule that denies all applications, and NTP still gets through the firewall.

    When I change that to an application filter with a default of "Deny", but with a rule that allows NTP, NTP is still blocked, and the log entry for port 123 does not identify the application as NTP.

    :(

    James

  • 0 in reply to jamesharper

    James, can you double check your last test? When I run the different scenarios identified by Michael (and include your scenario as well) I get the correct result on all tests except where NTP is specifically allowed on a default-deny filter. This result is similar to my testing with the LDAP protocol.

    In the above FW rules, each rule has an application filter as specified:

    1. No filter
    2. Application Filter of Block NTP, default Allow
    3. Application Filter of Allow NTP, Block (select All), default Allow
    4. Application Filter of Allow NTP, default Block
    5. Application Filter of Block (select All), default Allow

    My testing results are as follows:

    1. Allowed (correct)
    2. Blocked (correct)
    3. Allowed (correct)
    4. Blocked (incorrect)
    5. Blocked (correct)

    And, just like LDAP traffic was not identified as LDAP traffic in scenario 4 in my previous tests, NTP traffic was not identified as NTP traffic in the logs when I ran scenario 4 here as well. The issue I was experiencing previously, where NTP was not handled at all by the application filter, is something I have not been able to reproduce after receiving the signature update. Did that update fix part of the issue? Or was there a flaw in my previous test? I have no idea.  But... I have repeatedly been able to replicate a bug where a default block filter with explicit allow (scenario 4) does not behave as expected.

  • 0 in reply to lferrara

    Hi Luk,

    I support this request and you can raise the request on Sophos Ideas for logging Allowed Applications in the LogViewer. Check #2 in my

    Just for a bit more information here, Check #2 in my Troubleshooting Guide, IPS(Application Filter) in XG is accounted at the bottom of the list and any traffic that is allowed will be processed by all the other check before falling into Application Filter check. So considering that the blocks are logged in Log Viewer, if something is allowed and not logged then, it becomes certain that Application Filter is not blocking it and one must eventually take a step back and configure a Firewall Rule to block the services.

    Thanks

  • 0 in reply to sachingurung

    Thanks Saching,

    but I will not open a feature request for standard feature. It is like opening a feature request for logging traffic on Firewall. Reports report which applications are used but live logs do not.

    Still incredible how certain things work on this "Cyberoam OS like."

    Really disappointed! [:@]

     

Reply
  • 0 in reply to sachingurung

    Thanks Saching,

    but I will not open a feature request for standard feature. It is like opening a feature request for logging traffic on Firewall. Reports report which applications are used but live logs do not.

    Still incredible how certain things work on this "Cyberoam OS like."

    Really disappointed! [:@]

     

Children
No Data