This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow certain traffic

Hello everybody,

I would like to ask you for help. The thing is that I wan't to allow certain services. These include Dropbox and Spotify.

I've allowed Dropbox and Spotify via Application Control (Web Protection > Application Control), but I am still seeying many red lines in the Firewall live log, where you can see the service (Dropbox or Spotify) and next to that you see that the packet has been dropped.

Since I've allowed them in Application Control, how could this happen?

Well, I hope somebody can explain to me what I'm doing wrong, and can give some advice, on how I can manage to do this in the most secure and efficient way.

Thanks a lot!

P.s. yes, I have disabled the IPS rules for Skype



This thread was automatically locked due to age.
Parents
  • Hi,

    Can you please post the log lines that reflects the drops and the screenshot of the application control policy?

    Thanks 

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachin, thanks for your help!

     

    Below are the logs. I’m sorry but I think I have been a bit stupid. Now that I’m looking at it, Is it possible that these are broadcast messages that are logged?

     

    Thanks for the help.

     

    2016:10:03-18:04:21 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x307f" app="127" srcmac="[MAC]" dstmac="[MAC]" srcip="[IP]" dstip="255.255.255.255" proto="17" length="225" tos="0x00" prec="0x00" ttl="128" srcport="17500" dstport="17500"

     

    2016:10:03-18:04:21 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x307f" app="127" srcmac="[MAC]" dstmac="[MAC]" srcip="[IP]" dstip="255.255.255.255" proto="17" length="225" tos="0x00" prec="0x00" ttl="128" srcport="17500" dstport="17500"


    2016:10:03-18:04:21 [mySophosserver] ulogd[4461]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" mark="0x307f" app="127" srcmac="[MAC]" dstmac="[MAC]" srcip="[IP]" dstip="192.168.188.255" proto="17" length="225" tos="0x00" prec="0x00" ttl="128" srcport="17500" dstport="17500"

     

     

    (link to image https://drive.google.com/file/d/0BwoVESK-l0CheHFPYklKT0RTUDA/view?usp=sharing)

  • Hi A.M,

    These are input default drops which are dropped via input chain in the IP tables. This chain is used to control the behavior for incoming connections. Can you capture and post the http.log. Grep dropbox and spotify to filter the log line. 

    Last but not the least, what does the policy helpdesk option in Web Protection notify for dropbox and Spotify URL(s)? Policy helpdesk tests URLs against your existing Web Filter Profiles.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachin,

     

    Okay, thanks. I’ve added the logs. it all seems to work OK right now, and looking at the logs it looks like the packets are getting though.

    Dropbox and Spotify are working now (just tested). I’m not sure whether is was sophos or a faulty computer what caused this.

     

    Besides this; skype is not working properly. I tested Skype on PC and it worked with no problems. But then comes this: we have a ‘Skype Phone’, like a landline phone that only receives calls on a local digital phone line (with a local number) and calls out via a Skype (Internet) line (so via a Skype phone number, via internet).

    We can still receive calls (logical, since that works even without internet), but calling to somebody else (so via Skype, via Internet) isn’t working. I find this strange, because Skype on Windows seems to have no problems at all. I will look further into this, I’m not sure if it could be a problem on the Skype/phone box side (since it stopped working when Sophos got implemented, I guess not ;-)

    Unsurprisingly bittorrent is also still not working completely perfect. Does anybody have experience with this? Do you think I need to create DNat for it to function properly, or do you think that I should do something else in order to fix it? (remember that normally DNat is supposed to not be necessary for torrents to work). Would it be possible to unlock bittorrent for specified torrent(s)? (for example: users are allowed to download Ubuntu torrents or something like that, but not to download movies and such things).

     

    In any way, I have to test it while looking at the firewall, but I’m almost there. Does anybody has a tip, for where to look (fox example in the logs)? In http.log all detected Skype traffic is allowed, but I guess it either is not even reaching the Web Scanner, or, is not recognised as Skype traffic, so I guess that's the reason I can’t find it.

     

    The policy helpdesk option says allowed for all domains (so dropbox.com, spotify.com and skype.com, both http as https)

     

    Thank you for your time (you already helped me a lot! :),

    Adriaan Heijboer



    http dropbox.log https://drive.google.com/open?id=0BwoVESK-l0Chdk9VRlE3d1hTY3c

    http spotify.log https://drive.google.com/open?id=0BwoVESK-l0ChVTJXYk15TGZrMzg

    http skype.log https://drive.google.com/open?id=0BwoVESK-l0ChVkdFc1F0U3ZybXc

    http dropbox.log

    Search "application="skype" app-id="448"" (16 hits in 1 file)
      C:\Users\Aad\Downloads\http.log (16 hits)
    	Line 10674: 2016:10:05-11:43:51 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="13.107.3.128" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="17265" request="0xa1036400" url="https://b.config.skype.com/" referer="" error="" authtime="0" dnstime="15289" cattime="20295" avscantime="0" fullreqtime="61829576" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    	Line 10681: 2016:10:05-11:44:08 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.188.62" dstip="91.190.216.81" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="129" request="0xa0b17600" url="http://conn.skype.com/" referer="" error="" authtime="0" dnstime="51225" cattime="20265" avscantime="2597" fullreqtime="95285" device="0" auth="0" ua="Skype WISPr" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448" sandbox="-" content-type="text/plain"
    	Line 10727: 2016:10:05-11:44:30 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="13.107.3.128" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="18581" request="0x9c0cd800" url="https://b.config.skype.com/" referer="" error="" authtime="0" dnstime="7478" cattime="188" avscantime="0" fullreqtime="59139012" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    	Line 10734: 2016:10:05-11:44:36 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.188.62" dstip="157.56.198.14" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7" request="0x9bc7e00" url="http://ui.skype.com/ui/0/7.27.0.101./nl/getlatestversion?ver=7.27.0.101&uhash=177a252a15947ea5c823d88847a18d4a3" referer="" error="" authtime="0" dnstime="41081" cattime="37619" avscantime="1923" fullreqtime="126075" device="0" auth="0" ua="Skype™‎ 7.27" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448" sandbox="-" content-type="application/octet-stream"
    	Line 10739: 2016:10:05-11:44:38 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.188.62" dstip="91.190.216.81" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="129" request="0x9c15b600" url="http://conn.skype.com/" referer="" error="" authtime="0" dnstime="345" cattime="213" avscantime="2525" fullreqtime="23386" device="0" auth="0" ua="Skype WISPr" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448" sandbox="-" content-type="text/plain"
    	Line 10742: 2016:10:05-11:44:39 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.188.62" dstip="91.190.216.81" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="129" request="0xa1068c00" url="http://conn.skype.com/" referer="" error="" authtime="0" dnstime="364" cattime="196" avscantime="3089" fullreqtime="24603" device="0" auth="0" ua="Skype WISPr" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448" sandbox="-" content-type="text/plain"
    	Line 10743: 2016:10:05-11:44:39 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="40.127.169.165" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7597" request="0xa0c73600" url="https://registrar-rr.prod.registrar.skype.com/" referer="" error="" authtime="0" dnstime="35428" cattime="20439" avscantime="0" fullreqtime="426671" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    	Line 10901: 2016:10:05-11:45:18 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="40.122.44.96" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7176" request="0x9fdc8000" url="https://registrar-rr.prod.registrar.skype.com/" referer="" error="" authtime="0" dnstime="15759" cattime="197" avscantime="0" fullreqtime="924782" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    	Line 10928: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="13.107.3.128" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="19093" request="0xa7ed200" url="https://b.config.skype.com/" referer="" error="" authtime="0" dnstime="5" cattime="145" avscantime="0" fullreqtime="47400311" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    	Line 10930: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="91.190.218.21" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5458" request="0x9fdc9200" url="https://uic.login.skype.com/" referer="" error="" authtime="0" dnstime="48038" cattime="20199" avscantime="0" fullreqtime="58540039" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    	Line 10932: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="52.174.166.107" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7533" request="0x9fd28400" url="https://api.cc.skype.com/" referer="" error="" authtime="0" dnstime="14726" cattime="19917" avscantime="0" fullreqtime="47686524" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    	Line 10933: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="40.122.44.96" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7214" request="0x9b07e00" url="https://etag-rr.prod.registrar.skype.com/" referer="" error="" authtime="0" dnstime="39281" cattime="20986" avscantime="0" fullreqtime="47761063" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    	Line 10935: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="23.43.36.49" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6588" request="0x9fdc8600" url="https://apps.skype.com/" referer="" error="" authtime="0" dnstime="57260" cattime="20216" avscantime="0" fullreqtime="39011935" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    	Line 10937: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="168.63.15.132" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7646" request="0xa01ea600" url="https://trap.skype.com/" referer="" error="" authtime="0" dnstime="15859" cattime="20106" avscantime="0" fullreqtime="43257397" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    	Line 10938: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="137.116.195.37" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="7402" request="0x9bfe9000" url="https://api.mcr.skype.com/" referer="" error="" authtime="0" dnstime="16007" cattime="20381" avscantime="0" fullreqtime="42812452" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    	Line 10939: 2016:10:05-11:45:22 [mySophosserver] httpproxy[5693]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.188.62" dstip="91.190.217.143" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="15368" request="0xa95b800" url="https://api.skype.com/" referer="" error="" authtime="0" dnstime="37579" cattime="19914" avscantime="0" fullreqtime="30173197" device="0" auth="0" ua="" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging" application="skype" app-id="448"
    

    http spotify.log

  • Hi, 

    Everything for Skype seems to be allowed in the http.log. Out of the box, what sort of ISP connection do you have on UTM, DHCP or static?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachin,

     

    Okay, that's good.

    I get 1 IP via DHCP from my ISP (but I have multiple DDNS entries, so mostly use on of my domain names).

     

    Furthermore, I have found the problem!! The problem is in Web Filtering, I temporarily disabled it, and now everything works perfect (Dropbox, Spotify, that Skype phone thing and P2P).

    But what I don't understand is how those things can be blocked by Web Filtering. The clients are allowed to go to whatever site they want. So it is not necessary to block things (except for spam of porn or something, but that's easy to do via the Categories).

    So what I did is the following:

    - enabled the Categories that clients are allowed to use (everything is permitted right now);
    - made sure that at 'Websites' there are no blocked websites listed;
    - made sure that at 'Downloads' there weren't any blocked file extensions (since this is allowed too);
    - made sure that 'Antivirus' and 'Additional Options' were configured correct (I used the default settings).

     

    In my logic the Web Filter would NOT block anything, because I haven't specified it. But if I take a look at the Web Filtering logs, I see that plenty of packets gets dropped, that’s not supposed to be happening.

    Now it doesn't surprise me that I'm wrong, but after looking into it, I really can't understand how this is possible. Is there a hidden blocked website/domain list somewhere in Web Filtering? Cause I can’t find it.

     

    Thanks a lot for all of your help!

    Adriaan Heijboer

  • Adriaan, please show a few representative lines from the Web Filtering log file where desired traffic is blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Something strange has happend. I turned the Web Filtering back on yesterday, so I could see the packets that get dropped. The only thing is that is dousand seem to block the packets now.

    I already allowed the traffic I wanted to pass, Skype for instance. But I did that at the beginning when I was setting up the server. And this didn’t seem to change anything.

     

    Could it be that it had to reload the Web Filtering module, in order to see the new rules (in this case Skype = ALLOWED).

     

    Because on this moment the log is empty and I haven’t heard any complaints.

     

    I will do some further testing to see if everything works the way it is intended and I will report back here with the conclusions.

     

    Thanks to everybody who is spending their time in order to help me.

     

    Kind regards,

    Adriaan Heijboer

  • Hi Bob,

     

    A small addition to my previous comment; it seems to be a bit inconsistent somehow.

     

    Fox example, I have found some websites that are getting blocked in ‘Logging & Reporting’ > ‘Web Protection’ > ‘Web Usage report’ (see screenshot) but I can't find the corresponding entries in the log.

     

    If I look at the Web Filtering log (http.log) the only blocked entries are things like: error="Transport endpoint is not connected", error="Host not found" and error="Connection reset by peer".

     

    I’ve attached the log.

     

    Thanks,

    Adriaan Heijboer

     

    	Line 9059: 2016:10:10-11:55:49 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x8f58a00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="454" avscantime="0" fullreqtime="1309517607" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
    	Line 9612: 2016:10:10-12:09:44 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9d398000" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="29215" avscantime="0" fullreqtime="835266446" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
    	Line 9612: 2016:10:10-12:09:44 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9d398000" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="29215" avscantime="0" fullreqtime="835266446" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
    	Line 10141: 2016:10:10-12:24:05 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9ec3cc00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="388" avscantime="0" fullreqtime="861124676" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
    	Line 10141: 2016:10:10-12:24:05 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9ec3cc00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="388" avscantime="0" fullreqtime="861124676" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
    	Line 10316: 2016:10:10-12:46:10 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9804400" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="377" avscantime="0" fullreqtime="1324640392" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
    	Line 10316: 2016:10:10-12:46:10 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9804400" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="377" avscantime="0" fullreqtime="1324640392" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
    	Line 10467: 2016:10:10-13:04:33 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa4a6c00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="20587" avscantime="0" fullreqtime="1102961404" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
    	Line 10467: 2016:10:10-13:04:33 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa4a6c00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="20587" avscantime="0" fullreqtime="1102961404" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
    	
    	Line 10525: 2016:10:10-13:15:59 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.101" dstip="91.198.87.233" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa55d200" url="http://91.198.87.233/onlineweather" referer="" error="Connection reset by peer" authtime="0" dnstime="227" cattime="263" avscantime="3605" fullreqtime="38167104" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" sandbox="-"
    	Line 10525: 2016:10:10-13:15:59 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.101" dstip="91.198.87.233" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa55d200" url="http://91.198.87.233/onlineweather" referer="" error="Connection reset by peer" authtime="0" dnstime="227" cattime="263" avscantime="3605" fullreqtime="38167104" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" sandbox="-"
    	
    	Line 10533: 2016:10:10-13:18:14 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9f6e9e00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="510" avscantime="0" fullreqtime="821656234" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
    	Line 10533: 2016:10:10-13:18:14 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9f6e9e00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="510" avscantime="0" fullreqtime="821656234" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
    	
    	Line 10598: 2016:10:10-13:26:34 [mySophosserver] httpproxy[14727]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" hod="CONNECT" srcip="192.168.188.102" dstip="144.76.197.80" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="606565" request="0x9f2ff200" url="https://easylist-downloads.adblockplus.org/" referer="" error="" authtime="0" dnstime="7984" cattime="18919" avscantime="0" fullreqtime="513089" device="0" auth="0" ua="" exceptions="" category="175" reputation="trusted" categoryname="Software/Hardware"
    	
    	Line 15531: 2016:10:10-18:46:21 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.101" dstip="91.198.87.233" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2630" request="0x9d0d000" url="http://91.198.87.233/onlineweather" referer="" error="Connection reset by peer" authtime="0" dnstime="227" cattime="205" avscantime="3500" fullreqtime="241536" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" sandbox="-"
    	Line 15531: 2016:10:10-18:46:21 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.101" dstip="91.198.87.233" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2630" request="0x9d0d000" url="http://91.198.87.233/onlineweather" referer="" error="Connection reset by peer" authtime="0" dnstime="227" cattime="205" avscantime="3500" fullreqtime="241536" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" sandbox="-"
    	
    	Line 15788: 2016:10:10-18:56:44 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.188.103" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9d9c9000" url="https://courier.push.apple.com/" referer="" error="Host not found" authtime="0" dnstime="38918" cattime="19540" avscantime="0" fullreqtime="349834" device="0" auth="0" ua="" exceptions="av,sandbox,fileextension" category="105" reputation="trusted" categoryname="Business"
    	Line 15788: 2016:10:10-18:56:44 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.188.103" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9d9c9000" url="https://courier.push.apple.com/" referer="" error="Host not found" authtime="0" dnstime="38918" cattime="19540" avscantime="0" fullreqtime="349834" device="0" auth="0" ua="" exceptions="av,sandbox,fileextension" category="105" reputation="trusted" categoryname="Business"
    

    Open http.log https://drive.google.com/open?id=0BwoVESK-l0ChbkllNVNIb1pDaWc 

    Open screenshot (Web protection - Web Usage report.PNG) https://drive.google.com/open?id=0BwoVESK-l0ChSFhRdWs0U1Jmdnc 

  • Adriaan, statuscode="502" means that you need to make an Exception for Antivirus for the site.  If that doesn't resolve the problem, you will need to skip the proxy altogether.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,


    Okay that’s something new :)

     

    BAlfson said:

    Adriaan, statuscode="502" means that you need to make an Exception for Antivirus for the site.  If that doesn't resolve the problem, you will need to skip the proxy altogether.

    Cheers - Bob

     

     

    And what is the best practise to do that? Should I do it via Web Protection > Web Filter Profiles > Default content filter action > Websites and then add the websites to Allow These Websites, or is it better to do it via this way - I think this is the better way:- via Web Protection > Filtering Options > Exceptions then add a new Exception (make sure Antivirus is checked and apply the rule on Matching URL’s > The target Domains that I fill in).

    And if I want to allow all traffic, but still log it (so I can make sure people are not consuming too much data, or are online for too long), would it be enough to make the following exception? Skip: Antivirus, For all request > Coming from these networks > Internal Network.

    And I assume that I have to check URL filter also?

    One last question; the screenshot I posted, I said that I couldn’t find the corresponding log entries, but is that because I failed finding the corresponding entries or because I was looking at the wrong log?

    In other words, which log is being used by Web Protection, only the http.log?

    Many thanks!

    Kind regards,
    Adriaan Heijboer

Reply
  • Hi Bob,


    Okay that’s something new :)

     

    BAlfson said:

    Adriaan, statuscode="502" means that you need to make an Exception for Antivirus for the site.  If that doesn't resolve the problem, you will need to skip the proxy altogether.

    Cheers - Bob

     

     

    And what is the best practise to do that? Should I do it via Web Protection > Web Filter Profiles > Default content filter action > Websites and then add the websites to Allow These Websites, or is it better to do it via this way - I think this is the better way:- via Web Protection > Filtering Options > Exceptions then add a new Exception (make sure Antivirus is checked and apply the rule on Matching URL’s > The target Domains that I fill in).

    And if I want to allow all traffic, but still log it (so I can make sure people are not consuming too much data, or are online for too long), would it be enough to make the following exception? Skip: Antivirus, For all request > Coming from these networks > Internal Network.

    And I assume that I have to check URL filter also?

    One last question; the screenshot I posted, I said that I couldn’t find the corresponding log entries, but is that because I failed finding the corresponding entries or because I was looking at the wrong log?

    In other words, which log is being used by Web Protection, only the http.log?

    Many thanks!

    Kind regards,
    Adriaan Heijboer

Children
  • "Skip: Antivirus, For all request > Coming from these networks > Internal Network."  your earlier comment was right: just skip AV for the URL's causing the problem.

    "And I assume that I have to check URL filter also?" - These are all being "blocked" by the servers' inability to work with our Proxy so you don't need that.

    You were looking at the right log. note that you find dcs.cb.philips.com in the picture and in the log lines you posted.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

    Sorry for my late response.

    Now I finally understand the problem, thank you so much for explaining :)

    This solved my problem. I would have never expected the problem to be the at the side of other servers, not supporting the proxy.

    Thanks really a lot Bob, you helped me out a lot!!

    Kind regards,

    Adriaan Heijboer