Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 11557 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Website won´t load - Sophos SG105v2 - UTM 9.5

Hans-Peder Knudsen

Hello,

Im suddently experiencing an issue, where the website: "poe.trade" won´t load.

Tried with Internet Explorer - Firefox - Chrome - Edge - all the same result. The website gets a timeout.

 

I have tried different things on my UTM to resolve this:

* Enabled/Disabled Webprotection/Webfiltering - IPS - ATP

* Tried different DNS server´s - OpenDNS - Google DNS - ISP DNS

None of the above things make any difference.

No blocked requests appear in my firewall live log

If I take my laptop and connect directly to my fiber box, then the website loads just fine, so the problem definitely seems to be the Sophos UTM firewall.

 

How should I go about finding the culprit in this scenario ?

 

Thanks in advance.

//Hans-Peder



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Hans-Peder, and welcome to the UTM Community!

    I had no problem connecting.  Here's a line from our Web Filtering log - please show us one from yours where there's a timeout.

    2017:10:02-12:28:50 sophos httpproxy[7283]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.x.y.64" dstip="104.18.51.127" user="MuUser" group="Open Web Access" ad_domain="OurDomain"  statuscode="200" cached="0" profile="REF_RMxbSZXQTi (Office)" filteraction="REF_IiqUeSGrWr (Open Web Access)" size="671" request="0xa08d8a00" url="http://poe.trade/favicon.ico" referer="" error="" authtime="0" dnstime="2166" cattime="272947" avscantime="109986" fullreqtime="783205" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0" exceptions="" category="181" reputation="neutral" categoryname="Marketing/Merchandising" country="United States" application="openx" app-id="836" sandbox="-" content-type="image/x-icon"

    It's possible that you don't have DNS configured correctly.  Compare your setup to DNS best practice.

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for your answer.

    I have enabled my webfiltering, and made a few requests for the website poe.trade.

    I might be doing something wrong, but I cannot find anything from the requeste address in the "Live Log: Web Filtering":

    (Could this be a request for this?):
     
    2017:10:02-21:42:06 fw01 httpproxy[30919]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.48.15" dstip="104.19.193.102" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="116097" request="0xcb903e00" url="https://cdnjs.cloudflare.com/" referer="" error="" authtime="0" dnstime="22166" cattime="2756610" avscantime="0" fullreqtime="212043239" device="0" auth="0" ua="" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" application="cloudflr" app-id="910"
     
     
    Regarding the DNS configuration, I have tried a few different configurations:
    - On the client im currently using, the network is configured manually, and not with DHCP.
      - The DNS is configured to use the firewall first, and then 8.8.8.8 secondly.
    As mentioned in my original post, I have tried to configure different forwarders on the UTM DNS server. GoogleDNS, OpenDNS, ISP DNS etc, but no luck.
     
    This whole issue has occured out of the blue, since I have used this website frequently for a long time (More than 2 years), and suddently without any changes made on the UTM configuration, I cannot load this site.
     
    I have also tried loading this site at my work, where we also use a Sophos UTM, and I get the same result. Timeout..
     
    Could this be caused by on of the newer Sophos UTM updates ? Im currently running: Release 9.503-4
     
    //Hans-Peder
     
     
  • 0 in reply to Hans-Peder Knudsen

    The UTM I was behind for this was running 9.503, too.  This must be a configuration issue in the two UTMs you're behind.

    If you search your Web Filtering logs, can you identify when you were last able to reach the site?

    # zgrep 'poe\.trade' /var/log/http/2017/09/* 

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi again,

     

    So further looking into this, I have sorted out that I was mistaken on my first description, since it stated that I had tried with IPS disabled.

    This was not true, and now I have found this in my IPS Live Log:

    2017:10:03-20:08:01 fw01 snort[27921]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="INDICATOR-COMPROMISE Suspicious .trade dns query" group="241" srcip="192.168.48.15" dstip="8.8.4.4" proto="17" srcport="61961" dstport="53" sid="44076" class="Misc activity" priority="3" generator="1" msgid="0"

    So the firewall blocks the DNS request due to the rather unusual .trade name.

    I have tried to create an exception on the IPS --> destination network --> DNS HOST --> poe.trade, but it still blocks the request.

    If I disable the IPS entirely it loads the site, but that really feels like a bad fix.

     

    Is there anything else I could try to resolve the matter ?

     

    Thanks

    Hans-Peder

  • 0 in reply to Hans-Peder Knudsen

    Is this a home-use scenario?  Are you the only person behind the UTM that needs to reach poe.trade?  Do you have an internal DNS server?

    Cheers - Bob

  • 0 in reply to BAlfson

    Hi again,

     

    Yes it´s a home-use scenario.

    Im not the only one who need´s to use this site.

    Im using the UTM as DNS server.

     

    //Hans-Peder

  • 0 in reply to Hans-Peder Knudsen

    In WebAdmin, create a Host definition for poe.trade with the IP 104.18.51.127 and DNS Hostname of poe.trade.

    Cheers - Bob

Reply Children
No Data