Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

DNAT of IPSec traffic problem

May 22, 2013, 10:53 am
$
0
0
172.25.0.117 <-- remote server
61.68.25.117 <-- remote security domain
61.68.56.147 <-- remote gw
---
99.98.182.82 <-- local gw
99.98.182.89 <-- local security domain
192.168.5.1 <-- local server

The goal is to reach 192.168.5.1 from 172.25.0.117 on port 12345/tcp.

Remote side is ASA with a NAT,

static (dmz,outside) 61.58.25.117 172.25.0.117 netmask 255.255.255.255 dns

Local side is ASG220 9.100-16 with a DNAT rule,

From: any
Service: any
Going to: 99.98.182.89
Change destination: 192.168.5.1
Change service: (empty)

We can test the DNAT by logging into the UTM via SSH and trying to 'telnet 99.98.182.89 123456' successfully, but accessing 99.98.182.89 from 172.25.0.117 doesn't seem to work via the tunnel. Thoughts?
Search

How to transfert license between identical Astaro security gateways

May 23, 2013, 12:37 am
$
0
0
Good morning everybody!

I finally got a brand new astaro 110/120 that's going to do the job of my identical (but dead) previous firewall.

The seller told me that I can easily move the old security license from the old firewall to the new one...

Question is: how?

I have been googling a bit and trying to understand how to achieve this in the license portal but seems like I can't find it.

_Probably_ it seems that I have to disable it in the old firewall's subscription management but I'd love not to do a mess in this phase :)

Did anyone have this problem?

Thanks a lot and have a great day.

Upgrading from v7 to v9 HA-Synch issues

May 23, 2013, 12:46 am
$
0
0
Hi at all,

i´m completeley new to this forum and astaro/sophos as well.
We are currently running a HA-Cluster with astaro appliances and v7.
As we know v7 is end of life. Now we bought 2 new Sophos 220 and want to replace the old cluster with them.
The internet is not completeley sure about whether it is possible do to a direct upgrade or not.
So i decided to download a backup file from the running v7 cluster and did inherit this file to our brand new devices.
Basically all Rules users etc are visable in both v9 devices.
But when it now comes to HA i have some issues because they never get out of Status: "Not linked" and "Synching"
They do notice each other and do handle an master and slave role but they never finish synching.

How can i get along with it?

Kind regards
akqadm

E-Mail Encryption & Exchange 2010, Config Issues

May 23, 2013, 3:16 am
$
0
0
Hallo,

externe Mails werden signiert, aber nicht verschlüsselt. Woran kann das liegen?

In den default policies ist alles aktiviert [Sign outgoing email] [Encrypt outgoing email] [Verify incoming email] und [Decrypt incoming email].

Email encryption user ist angelegt und verwendet global policies.

Es ist die UTM 320 (9.006-5) und der Mail Server ein Exchange 2010 (SMTP).

LG

Want to change the IP address of the interface used for the current WebAdmin session?

May 23, 2013, 3:35 am
$
0
0
I'm getting this strange question when I want to create or enable a new Ethernet VLAN interface:

Quote:
Do you really want to change the IP address of the interface used for the current WebAdmin session? This WebAdmin session will fail, and you have to log in to the new address.
I am logged into my UTM via SSL-VPN, and then into the UTM on the SSL-VPN Gateway IP.

If I enable the interface, I have to log in again. Why do I get the message and have to log in again?

Hardware: UTM 220 @ 9.100-16

AP 10 mit getrennter Zone

May 23, 2013, 10:50 am
$
0
0
Hallo zusammen,

ich bräuchte mal ein paar Tipps, da ich mit der Konfiguration meines Access Points (AP10) an UTM 9.1 mit der Einstellung "getrennte Zone" einfach nicht weiterkomme. Der AP10 funktioniert mit "in AP-Lan bridgen" einwandfrei.

Ausgangslage ist:

External (WAN) eth1 [192.168.0.99/24]
Internal eth0 [192.168.1.100/24]
Der AP hat vom Server (2008 R2) die 192.168.1.82 bekommen und mit "getrennte Zone" wurde die Schnittstelle
wlan wlan0 [192.168.1.101/24] erstellt.

DHCP ist mit die Schnittstelle wlan0 erstellt worden mit Gateway 192.168.1.100 und DNS zum Server

Maskierungsregel habe ich: wlan (Network --> External (WAN)
Firewall: wlan (Network) --> Any --> Any

Damit bin ich aber sehr unsicher und habe schon alles probiert.


Wenn ich nun ein Rechner über dieses W-Lan verbinde, bekommt dieser auch eine IP vom erstellten DHCP von der UTM, allerdings kann ich weder die 192.168.1.101 noch die 192.168.1.82 oder eine andere IP im Netz erreichen.
ICMP-Einstellungen für Ping sind eingeschaltet, das Netzwerk zeigt aber nur eingeschränkte Konnektivität.

Ich denke ich habe einfach irgendwo einen grundlegenden Fehler und bin für jeden Tipp dankbar.


MFG

I just want to unblock a domain. v8 was easy, v9 nightmare!

May 23, 2013, 11:06 am
$
0
0
Been using ASG for a couple years now. Have kids in the house, so have quite a few categories blocked under Web Filtering.

Sometimes we want to allow one particular domain through the firewall. In version 8, I simply added the domain under "always allow these URLs/sites" and boom, done.

In v9 (9.100-16 currently), it is a nightmare. I just can't seem to figure out the voodoo magic to making it work. I am sure it is simple, but I have spent so much time on it, I am giving up and asking for help.

Under "Always allow these URLs/sites" I click the plus sign, give it a name, click the plus sign next to "Domains", enter in the domain (example.com) and click Apply. Then "Save", then lastly click "Apply" under the main "URL filter" box. It should start blocking right? No it does not.

I have then turned off and on Web Filtering (on Global tab) for good measure. No, still blocks.

I have checked that it's not just my browser caching the block by trying another browser... still blocked.

Looking at the live log, it's definitely being blocked:

2013:05:23-13:05:12 astaro httpproxy[30866]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="192.168.222.35" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3099" request="0xc2e3c80" url="http://www.example.com/" exceptions="" error="" reason="category" category="137" reputation="trusted" categoryname="Provocative Attire"

Any thoughts appreciated... again, been doing this for a long time and it always used to work... so am hoping this is a simple oversight on my part.

Thanks!

- Scott

ASG 120 rev3 fresh/clean install

May 23, 2013, 12:34 pm
$
0
0
Hi,

Should I use the hw appliance isos or the software ?
Further what is the common way to do a clean install on hw appliances.
I would burn the correct iso to a cd connect an external drive an go ?

Btw. I will use this box with a business essential license.
Search

Info zu Antivirus

May 23, 2013, 1:16 pm
$
0
0
Hallo,
seit einiger Zeit bekomme ich keine Infos mehr zu den "Antivirus" Meldung im Dashboard.
Meine, dass es unter der 8er Version in den daily executive reports genauere Infos zum Virus und dem Zielhost bekommen habe.

Bislang gelang es mir über die Suchfunktion "STRG F" im Webfilter log Infos zu bekommen. Seit kurzem taucht dort aber auch nichts mehr auf. Einzig die Meldungen im Dashboard erscheinen noch.

Wäre über eine Info sehr dankbar.
Klasse wäre auch eine Info zum Thema Endpoint Protection. Läuft diese jetzt in irgendeiner Form Fehlerfrei oder ist diese immer noch nicht zu gebrauchen.
Scanner funktionieren zwar auf den Hosts, aber die Zusammenarbeit mit der UTM haut leider nicht hin, wie schon in früheren Posts beschrieben.

Das Thema Skype und IPS möchte ich erst gar nicht ansprechen......;)

#edit

Version 9.100-16 HomeUser

Attached Images
File Type: jpg anti virus.JPG (17.0 KB)

AP50 Benchmarks

May 23, 2013, 1:31 pm
$
0
0
Curiously, would anyone who owns an AP50 kindly post some throughput benchmarks? I have a few AP10's, and I'd really like to see some numbers to compare before investing in an AP50.

Thank you. I really appreciate it!

User Portal not displaying all tabs

May 23, 2013, 2:13 pm
$
0
0
Using User Portal in the management area - although I have allowed all users / local network / all features, I am only seeing the 'Welcome', 'client auth', 'Https proxy' and 'Log out' tabs.
am I missing something to allow user portal to see 'whitelists' web filtering?

Event Alert for Sophos Cloud

May 23, 2013, 3:21 pm
$
0
0
Receiving an event alert by email gives the following email;

May 23. 2013 16:20:03
EVENT ALERT
This e-mail is a notification for an event occured in Sophos Cloud.
Event details:
Reported at: 2013-05-23T16:19:59+00:00
Event description: Real time protection disabled
Severity: SEVERITY_HIGH

However, the issue is - it doesn't report the end-point, so one has to log in to the cloud service to identify the end-point. It would be better if the end-point was identified as well.

Also the word 'occured' is spelt wrong this should be 'occurred'

Thanks

Mike

[BUG][9.100-16] Bug in wifi isolation?

May 23, 2013, 4:42 pm
$
0
0
I've got UTM 220 and some AP50.
I've created some Wifi SSIDs and if I set the advanced feature about isolation to enabled, I can connect to other nodes in the same ssid. If I set it to disabled, I can not connect.

So it looks like the feature has been reversed in value?

RED Behind UTM

May 23, 2013, 8:53 pm
$
0
0
Hello,

We would like to deploy a secondary network in a branch using a RED.

What IP should I enter on the UTM Red setup the LAN IP or the WAN IP?

Uplink Balancing of MPLS Line

May 23, 2013, 10:02 pm
$
0
0
I would like to ask regarding Uplink Balancing for our MPLS line. We have two main offices and 6 branches all of each has an ASG Appliance. In our main office 1 we have 2pc. ASG 220 one is for the internet and the other is for the MPLS line while in the Main office 2 we have ASG 320 for the internet and 220 for the MPLS line. For our branches we have 110/120 ASG appliance. In each office and branches we have two MPLS Line from two different ISP providers. Now when we setup the Uplink balancing for the two main office it becomes successful while when we setup our branch offices for the Uplink balancing and when we tried to removed one of the MPLS line Uplink balancing is ok but we can only ping until the Managed router of one of our MPLS provider. Would appreciate if someone can help me with this problem..
Search

Red Support files not available astarosupport.org/files/

May 24, 2013, 1:04 am

Cable Modem Interface going up and down

May 24, 2013, 1:23 am
$
0
0
Hello,

I have an issue with an UTM 110/120 ans Software 8.309

We have attached a cable modem on ETH1 with DHCP.

The interface is going down and up 5-10 times a day.
It is down for about 1 Minute if I believe the Emails, but in real the interface seems to be up all the time.

I already tried to fix the interface on the UTM to 100 FDX Speed, this also didn't help.

Does someone have the same issue?

The strange thing is, it worked perfect over weeks, and the last 5 days this issue started, with no change on the UTM. The UTM has an uptime of 76 days.

Thank you for your help!

Best regards,
Dino

Real time protection disabled message

May 24, 2013, 2:56 am
$
0
0
Just getting this formally flagged as discussed with the UK team already. there are alerts being flagged for "Real time protection disabled" being generated on my home machine, at what i assume from the timings to be during the shut-down process. I will speak to the team to get access to logging tools etc. to investigate this further.

A side effect of this however is the fact that overnight 23 -24/05/2013 UK time for each of these alerts I received multiple messages to my email account telling me of each of these alerts. The first 2 times i was replicating the issue I received 4 alerts and the following morning when deliberately stopping the service to trigger the alert I received 2 messages. I will update this with regard to the multiple messages received as a result of the tests during this investigation as I would think that getting a mailbox flooded with what effectively becomes spam is going to deprecate the value of this feature.

Emails failure since update to 9.100-16

May 24, 2013, 4:33 am
$
0
0
Hi,

Since updating our UTM to 9.100-16 we're no longer able to send emails, we're getting nslookup failures from the UTM console and we're receiving these errors:

routing defer (-51): retry time not reached

This is only happened since the update? anyone else having these issues?

ASG 220 8.103 up2date 8.309

May 24, 2013, 5:54 am
$
0
0
Hi together,

there is one ASG 220 at our company running version 8.103. There are 14 updates available, the newest one is 8.309.
As i'm completely new to managing the ASG 220, i would like to ask, if there are any known problems when updating to the newest 8.309 version.

Should i do a step by step upgrade ?
Can i directly go from 8.103 to 8.309 ?
How long will the update take ?

What can i do, if the update process is hanging ?

Thanks in advance for your support.

best regards,
Markus Moos
Viewing all 14361 articles
Browse latest View live
Search