Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 3 subscribers
  • Views 30771 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow certain traffic

A.M. Heijboer

Hello everybody,

I would like to ask you for help. The thing is that I wan't to allow certain services. These include Dropbox and Spotify.

I've allowed Dropbox and Spotify via Application Control (Web Protection > Application Control), but I am still seeying many red lines in the Firewall live log, where you can see the service (Dropbox or Spotify) and next to that you see that the packet has been dropped.

Since I've allowed them in Application Control, how could this happen?

Well, I hope somebody can explain to me what I'm doing wrong, and can give some advice, on how I can manage to do this in the most secure and efficient way.

Thanks a lot!

P.s. yes, I have disabled the IPS rules for Skype



This thread was automatically locked due to age.
  • 0 in reply to sachingurung

    Hi Sachin,

     

    Okay, that's good.

    I get 1 IP via DHCP from my ISP (but I have multiple DDNS entries, so mostly use on of my domain names).

     

    Furthermore, I have found the problem!! The problem is in Web Filtering, I temporarily disabled it, and now everything works perfect (Dropbox, Spotify, that Skype phone thing and P2P).

    But what I don't understand is how those things can be blocked by Web Filtering. The clients are allowed to go to whatever site they want. So it is not necessary to block things (except for spam of porn or something, but that's easy to do via the Categories).

    So what I did is the following:

    - enabled the Categories that clients are allowed to use (everything is permitted right now);
    - made sure that at 'Websites' there are no blocked websites listed;
    - made sure that at 'Downloads' there weren't any blocked file extensions (since this is allowed too);
    - made sure that 'Antivirus' and 'Additional Options' were configured correct (I used the default settings).

     

    In my logic the Web Filter would NOT block anything, because I haven't specified it. But if I take a look at the Web Filtering logs, I see that plenty of packets gets dropped, that’s not supposed to be happening.

    Now it doesn't surprise me that I'm wrong, but after looking into it, I really can't understand how this is possible. Is there a hidden blocked website/domain list somewhere in Web Filtering? Cause I can’t find it.

     

    Thanks a lot for all of your help!

    Adriaan Heijboer

  • 0 in reply to A.M. Heijboer

    Adriaan, please show a few representative lines from the Web Filtering log file where desired traffic is blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Something strange has happend. I turned the Web Filtering back on yesterday, so I could see the packets that get dropped. The only thing is that is dousand seem to block the packets now.

    I already allowed the traffic I wanted to pass, Skype for instance. But I did that at the beginning when I was setting up the server. And this didn’t seem to change anything.

     

    Could it be that it had to reload the Web Filtering module, in order to see the new rules (in this case Skype = ALLOWED).

     

    Because on this moment the log is empty and I haven’t heard any complaints.

     

    I will do some further testing to see if everything works the way it is intended and I will report back here with the conclusions.

     

    Thanks to everybody who is spending their time in order to help me.

     

    Kind regards,

    Adriaan Heijboer

  • 0 in reply to BAlfson

    Hi Bob,

     

    A small addition to my previous comment; it seems to be a bit inconsistent somehow.

     

    Fox example, I have found some websites that are getting blocked in ‘Logging & Reporting’ > ‘Web Protection’ > ‘Web Usage report’ (see screenshot) but I can't find the corresponding entries in the log.

     

    If I look at the Web Filtering log (http.log) the only blocked entries are things like: error="Transport endpoint is not connected", error="Host not found" and error="Connection reset by peer".

     

    I’ve attached the log.

     

    Thanks,

    Adriaan Heijboer

     

    Fullscreen http.log Download 
    	Line 9059: 2016:10:10-11:55:49 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x8f58a00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="454" avscantime="0" fullreqtime="1309517607" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
	Line 9612: 2016:10:10-12:09:44 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9d398000" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="29215" avscantime="0" fullreqtime="835266446" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
	Line 9612: 2016:10:10-12:09:44 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9d398000" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="29215" avscantime="0" fullreqtime="835266446" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
	Line 10141: 2016:10:10-12:24:05 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9ec3cc00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="388" avscantime="0" fullreqtime="861124676" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
	Line 10141: 2016:10:10-12:24:05 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9ec3cc00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="388" avscantime="0" fullreqtime="861124676" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
	Line 10316: 2016:10:10-12:46:10 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9804400" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="377" avscantime="0" fullreqtime="1324640392" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
	Line 10316: 2016:10:10-12:46:10 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9804400" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="377" avscantime="0" fullreqtime="1324640392" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
	Line 10467: 2016:10:10-13:04:33 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa4a6c00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="20587" avscantime="0" fullreqtime="1102961404" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
	Line 10467: 2016:10:10-13:04:33 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa4a6c00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="20587" avscantime="0" fullreqtime="1102961404" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
	
	Line 10525: 2016:10:10-13:15:59 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.101" dstip="91.198.87.233" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa55d200" url="http://91.198.87.233/onlineweather" referer="" error="Connection reset by peer" authtime="0" dnstime="227" cattime="263" avscantime="3605" fullreqtime="38167104" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" sandbox="-"
	Line 10525: 2016:10:10-13:15:59 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.101" dstip="91.198.87.233" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa55d200" url="http://91.198.87.233/onlineweather" referer="" error="Connection reset by peer" authtime="0" dnstime="227" cattime="263" avscantime="3605" fullreqtime="38167104" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" sandbox="-"
	
	Line 10533: 2016:10:10-13:18:14 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9f6e9e00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="510" avscantime="0" fullreqtime="821656234" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
	Line 10533: 2016:10:10-13:18:14 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.100" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9f6e9e00" url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer="" error="Transport endpoint is not connected" authtime="0" dnstime="0" cattime="510" avscantime="0" fullreqtime="821656234" device="0" auth="0" ua="" exceptions="" category="105" reputation="trusted" categoryname="Business"
	
	Line 10598: 2016:10:10-13:26:34 [mySophosserver] httpproxy[14727]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" hod="CONNECT" srcip="192.168.188.102" dstip="144.76.197.80" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="606565" request="0x9f2ff200" url="https://easylist-downloads.adblockplus.org/" referer="" error="" authtime="0" dnstime="7984" cattime="18919" avscantime="0" fullreqtime="513089" device="0" auth="0" ua="" exceptions="" category="175" reputation="trusted" categoryname="Software/Hardware"
	
	Line 15531: 2016:10:10-18:46:21 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.101" dstip="91.198.87.233" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2630" request="0x9d0d000" url="http://91.198.87.233/onlineweather" referer="" error="Connection reset by peer" authtime="0" dnstime="227" cattime="205" avscantime="3500" fullreqtime="241536" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" sandbox="-"
	Line 15531: 2016:10:10-18:46:21 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="192.168.188.101" dstip="91.198.87.233" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2630" request="0x9d0d000" url="http://91.198.87.233/onlineweather" referer="" error="Connection reset by peer" authtime="0" dnstime="227" cattime="205" avscantime="3500" fullreqtime="241536" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" sandbox="-"
	
	Line 15788: 2016:10:10-18:56:44 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.188.103" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9d9c9000" url="https://courier.push.apple.com/" referer="" error="Host not found" authtime="0" dnstime="38918" cattime="19540" avscantime="0" fullreqtime="349834" device="0" auth="0" ua="" exceptions="av,sandbox,fileextension" category="105" reputation="trusted" categoryname="Business"
	Line 15788: 2016:10:10-18:56:44 [mySophosserver] httpproxy[14727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.188.103" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x9d9c9000" url="https://courier.push.apple.com/" referer="" error="Host not found" authtime="0" dnstime="38918" cattime="19540" avscantime="0" fullreqtime="349834" device="0" auth="0" ua="" exceptions="av,sandbox,fileextension" category="105" reputation="trusted" categoryname="Business"

    Open http.log https://drive.google.com/open?id=0BwoVESK-l0ChbkllNVNIb1pDaWc 

    Open screenshot (Web protection - Web Usage report.PNG) https://drive.google.com/open?id=0BwoVESK-l0ChSFhRdWs0U1Jmdnc 

  • 0 in reply to A.M. Heijboer

    Adriaan, statuscode="502" means that you need to make an Exception for Antivirus for the site.  If that doesn't resolve the problem, you will need to skip the proxy altogether.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,


    Okay that’s something new :)

     

    BAlfson said:

    Adriaan, statuscode="502" means that you need to make an Exception for Antivirus for the site.  If that doesn't resolve the problem, you will need to skip the proxy altogether.

    Cheers - Bob

     

     

    And what is the best practise to do that? Should I do it via Web Protection > Web Filter Profiles > Default content filter action > Websites and then add the websites to Allow These Websites, or is it better to do it via this way - I think this is the better way:- via Web Protection > Filtering Options > Exceptions then add a new Exception (make sure Antivirus is checked and apply the rule on Matching URL’s > The target Domains that I fill in).

    And if I want to allow all traffic, but still log it (so I can make sure people are not consuming too much data, or are online for too long), would it be enough to make the following exception? Skip: Antivirus, For all request > Coming from these networks > Internal Network.

    And I assume that I have to check URL filter also?

    One last question; the screenshot I posted, I said that I couldn’t find the corresponding log entries, but is that because I failed finding the corresponding entries or because I was looking at the wrong log?

    In other words, which log is being used by Web Protection, only the http.log?

    Many thanks!

    Kind regards,
    Adriaan Heijboer

  • +1 in reply to A.M. Heijboer

    "Skip: Antivirus, For all request > Coming from these networks > Internal Network."  your earlier comment was right: just skip AV for the URL's causing the problem.

    "And I assume that I have to check URL filter also?" - These are all being "blocked" by the servers' inability to work with our Proxy so you don't need that.

    You were looking at the right log. note that you find dcs.cb.philips.com in the picture and in the log lines you posted.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

    Sorry for my late response.

    Now I finally understand the problem, thank you so much for explaining :)

    This solved my problem. I would have never expected the problem to be the at the side of other servers, not supporting the proxy.

    Thanks really a lot Bob, you helped me out a lot!!

    Kind regards,

    Adriaan Heijboer

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?