[9.260] Advanced Threat Protection bug?

Hi Twister5800,

Do you use the UTM as DNS server? If not you might be hit by an ATP improvement for setups where the clients use a DNS server other than the UTM. Previously in such setups DNS requests were not caught at all by the ATP feature. Now they are.

If you use the web filtering in transparent mode, the UTM will see the DNS request before the actual HTTP request. So, if ATP decided to block that DNS request, your browser will not even get an IP address to fetch the block page from.

So, if your issue is related to this behavior change, then yes, this is by design. A work-around could be to configure the proxy in standard mode and explicitly configure it in the browser.

Best regards,
mlenk

Hi Twister5800,

Do you use the UTM as DNS server? 

Hi mlenk,

I have just tested around:

- Computers using domain controller as DNSs server, work with the "blocked screen"

- Computers using the UTM as default DNS does NOT get the "blocked" screen, and have the symtoms I wrote about earlier.

I use the UTM as Transparent Proxy.

Can computers reach the domain controller directly, or is the UTM between these computers and the domain controller?

Can computers reach the domain controller directly, or is the UTM between these computers and the domain controller?

Yes, they can reach the DC directly.

Okay, that explains why DNS doesn't get blocked by ATP then.

Back to those computers that you have an issue with:

Computers using the UTM as default DNS does NOT get the "blocked" screen, and have the symtoms I wrote about earlier.

In this setup the ATP behavior shouldn't have changed. Did these computers really get the "blocked" screen before you upgraded to the UTM 9.3 beta? I.e. were these computers really able to do DNS to sites listed in ATP? If so, please provide more details about the reported block reason in UTM.

Regards,
mlenk

Okay, that explains why DNS doesn't get blocked by ATP then.

Back to those computers that you have an issue with:


In this setup the ATP behavior shouldn't have changed. Did these computers really get the "blocked" screen before you upgraded to the UTM 9.3 beta? I.e. were these computers really able to do DNS to sites listed in ATP? If so, please provide more details about the reported block reason in UTM.

Regards,
mlenk

Okay, just tried now:

With 9.3:

- Web filtering log:
 No entries whatsoever that site is blocked

-ATP Log:

(ATP)" srcip="192.168.110.9" dstip="193.162.153.164" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-10:40:31 fw02 afcd[4815]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.104" dstip="192.168.10.10" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-10:40:35 fw02 afcd[4815]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.9" dstip="193.162.134.83" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-10:40:42 fw02 afcd[4815]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.104" dstip="192.168.10.10" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-11:36:43 fw02 afcd[4789]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.9" dstip="193.162.153.164" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-11:36:43 fw02 afcd[4789]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.104" dstip="192.168.10.10" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-11:36:47 fw02 afcd[4789]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.9" dstip="193.162.134.83" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-11:36:51 fw02 afcd[4789]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.9" dstip="192.228.79.201" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-11:36:55 fw02 afcd[4789]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.9" dstip="193.162.153.164" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-11:36:55 fw02 afcd[4789]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.104" dstip="192.168.10.10" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-11:36:59 fw02 afcd[4789]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.9" dstip="193.162.134.83" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-11:37:03 fw02 afcd[4789]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.9" dstip="192.33.4.12" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"
2014:10:06-11:37:06 fw02 afcd[4789]: id="2022" severity="warn" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" srcip="192.168.110.104" dstip="192.168.10.10" fwrule="63001" proto="17" threatname="Troj/MSIL-ALL" status="1" host="whatismyipaddress.com" url="-" action="drop"

- "Blocked" screen shown on client computer: NO

- Is UTM the clients default DNS: YES


---------------------------
With 9.2:

- Web filtering log:

2014:10:06-11:42:19 fw02 httpproxy[5816]: id="0068" severity="info" sys="SecureWeb" sub="http" name="web request blocked, threat detected" action="block" method="GET" srcip="192.168.110.104" dstip="" user="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2671" request="0x1104a5c0" url="http://whatismyipaddress.com/" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="718" device="0" auth="0" virus="Troj/MSIL-ALL"
2

-ATP log:

Completely empty [:S]

- "Blocked" screen shown on client computer: YES

- Is UTM the clients default DNS: YES


So YES, there is a big difference with 9.2  9.3 [;)]

Thanks for clarifying. I will take a detailed look.

Thanks for clarifying. I will take a detailed look.

  

Have you looked further into this? [;)]

Sent from my iPhone using Astaro.org

9.301-2 with ATP / IPS (all) / WF / file patterns enabled, using UTM DNS only.

Went to whatismyipaddress.com & mxtoolbox.com... pages load fine

ATP log empty, web filter log says both passed

Being told by others I'm bypassing ATP by using only UTM DNS. Can others expand on this please? How would I know one way or the other? Any ideas?