Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2067 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filter Updates seems to have life of their own

nico.n
Hello,

we are using a Sophos UTM as Virtual Software Appliance as Proxy and Reverse Proxy on the border of a separate net segment within our company.
So the Appliance has no direct Internet connection. Security Policies require us to make Internet Connections over another web proxy. This is working well for Antivirus and Firmeware Up2Date Packages.

However, when Web Filters are enabled the UTM keeps trying to talk to the following servers:

ussc1.astaro.com
ussc2.astaro.com
imap.astaro.com
cffs04.astaro.com
astaro.nmmn.net
london057.server4you.de
colossus808.server4you.de
ec2-54-248-108-74.ap-northeast-1.compute.amazonaws.com

which is nagging our firewall administrator. [:D]

Am I’m assuming right, that these are the addresses for the web filter updates? The requests keeps coming in 10 minute intervals regardless of the Up2Date settings.

There seems to be no way to lead this request to our company proxy. Neither do they use the proxy set in the Up2Date settings, nor a proxy I set in the parent proxy settings of the web filter.

To top this all the request keep knocking on our firewall even when I make a static DNS entry to the mentioned hosts pointing to 127.0.0.1

Is there a way to disable web filter updates or a way to lead the request to our company proxy?


This thread was automatically locked due to age.
Parents
  • 0
    There are 2 kinds of updates that the UTM uses for the web filtering feature (and for other things):

    1) If you have the UTM set to auto-download pattern (AV, IPS, etc.) and / or firmware updates, it will do that at pre-set intervals, the smallest of which is 15 minutes.

    2) If you are using the Web Filtering Feature with Category and / or Reputation filtering enabled, the system automatically pings the cloud servers that support the category database at regular intervals to determine which on is lowest in latency... this is probably what you are seeing.  There is an undocumented (and somewhat unsupported, thus I don't recommend it for production systems normally) way to make the Web Filter use a local Database for filtering (search this forum), which would cut down on the requests.

    Thing is, I fail to see what the big deal is to allow the communications with the content filter and / or up2date servers... every security system needs updates.  Perhaps they should whitelist any notifications, etc. they are getting for having the system communicate with them.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0
    There are 2 kinds of updates that the UTM uses for the web filtering feature (and for other things):

    1) If you have the UTM set to auto-download pattern (AV, IPS, etc.) and / or firmware updates, it will do that at pre-set intervals, the smallest of which is 15 minutes.

    2) If you are using the Web Filtering Feature with Category and / or Reputation filtering enabled, the system automatically pings the cloud servers that support the category database at regular intervals to determine which on is lowest in latency... this is probably what you are seeing.  There is an undocumented (and somewhat unsupported, thus I don't recommend it for production systems normally) way to make the Web Filter use a local Database for filtering (search this forum), which would cut down on the requests.

    Thing is, I fail to see what the big deal is to allow the communications with the content filter and / or up2date servers... every security system needs updates.  Perhaps they should whitelist any notifications, etc. they are getting for having the system communicate with them.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data
Cookie Information Banner