tunnel utm -> utm

August 11, 2013, 5:49 am

≫ Next: UTM -> UTM Bridged and routed subnet

≪ Previous: [9.104-17][POP3S] UTM configuration

$

0

0

I setup i red-connection between 2 utm 9 devices.
The status tells me that the connection is established but no traffic is go from or to the other network
In the red-log I see these lines:
2013:08:11-14:39:47 fw red_server[10798]: 7543d61167ee40f: PING remote_tx=61 local_rx=62 diff=-1
2013:08:11-14:39:47 fw red_server[10798]: 7543d61167ee40f: PONG local_tx=61
I have made firewall-rules to allow traffic between the networks.
I also made Masquerading rules on both sites for the other networks.
What am i doing wrong?

---

UTM -> UTM Bridged and routed subnet

August 11, 2013, 9:09 am

≫ Next: Mobile Device managers

≪ Previous: tunnel utm -> utm

$

0

0

Is it possible to create a bridged connection between two UTM's by using the RED capability as well as a normal routed connection?

In one of our sites we have a fiber connection to one of our customers and to be able to work for this customer from another site we should use a bridged connection between the two.
We also would like to have normal routed connection between the two sites.
The clients connected to our customer are already on another subnet as the rest of this site.

Not sure if this would be possible. Anyone that knows the answer?

Mobile Device managers

August 11, 2013, 1:27 pm

≫ Next: Network Protection: Issues with Excessive Default Drop

≪ Previous: UTM -> UTM Bridged and routed subnet

$

0

0

I am implementing the Meraki MDM for my Ipads.
These are the ports I have opened.. and the hosts that I need to have connect too.. Systems Manager

Clients using Meraki Systems Manager initiate outbound management connections to the Meraki cloud using the following addresses and ports:

Mac/Windows

64.156.192.220, 64.156.192.221, 74.50.63.14, 74.50.63.8, *.amazon.com - TCP ports 80, 443, 993, 60000-61000 iOS

64.156.192.220, 74.50.63.14, 50.18.152.159 - TCP port 443
* - TCP ports 2195, 2196, 5223

Android

64.156.192.220, 74.50.63.14 - TCP port 443
* - TCP port 5228


Heres the problem.. I can get the iPad (from internal network) to phone home, enroll itself in the MDM, but the MDM cannot access the iPad (on the internal network) once it is enrolled.

I have looked at the firewall log.. can cannot see anything being denied from the inside to the outside, and nothing denied on those ports to the inside.

any ideas would help..

thanks

Network Protection: Issues with Excessive Default Drop

August 11, 2013, 10:53 pm

≫ Next: Correct VPN Remote Acces Setup for Internal and External Users

≪ Previous: Mobile Device managers

$

0

0

Got a little issue here. Like the the title says I am getting excessive Default Drops and its all coming from 3 devices. 1 is Direct TV box, 1 are Android, and finally VM Client connected to ESXi (which is not shown on this Live Log). I have already created the service definitions and enabled rule for the firewall,

Any Internal (Network) > Service (Destination Port 47653 or 15740 Source Range 1:65535) > Any

But I am not sure why its going to the router which is 192.168.2.1. I have ICMP through Gateway turned on as well as Ping and Traceroute through Gateway, figuring it might want to get out somehow. But still get the messages.

I also, temporarily enabled Allow ICMP on Gateway, Allow ICMP through Gateway, and to Log ICMP redirects. But this has not cleared up the problem.

The 192.168.2.12 is the Direct TV receiver, and the X.19 is the one Android device. As of yesterday I have 9k packet drops between X.X.X.12 & X.X.X.19

Any help would be appreciated. - Alex

Correct VPN Remote Acces Setup for Internal and External Users

August 11, 2013, 11:35 pm

≫ Next: [9.106] problems with backup import, passwords, etc.

≪ Previous: Network Protection: Issues with Excessive Default Drop

$

0

0

Hello everyone,
I am currently auditing our firewall and in this work I want to enable easier Remote Access configuration.

Currently we use the following setup:
External users: PPTP with local accounts on the ASG
Internal Users: L2TP with AD-Accounts and PSK (iOS Access required)

The L2TP setup works fine for internal users. We deploy the connection to the clients via a softwaredeployment and users have access via an AD group.

We want to enable external users to go with Windows-tools (no client install required) as well. Thats why PPTP is used (we do not want to hand out the PSK to external companies)

Is there any alternative that enables all requirements but allows both kinds of users to be managed from the AD?

For internal users "auto-deployment" is important. The users should be able to access without having to manually install/download Certs etc.

Any ideas?

Best regards

[9.106] problems with backup import, passwords, etc.

August 12, 2013, 12:21 am

≫ Next: Exchange hinter UTM

≪ Previous: Correct VPN Remote Acces Setup for Internal and External Users

$

0

0

Hi,

I installed 9.006 on a spare HP 1U server at work on Friday, and loaded a backup file from 7.509 via USB stick.
I then logged into the console as root, and it asked me for a new password, which I though was a little odd, but I put in the same password (twice) I use on the 7.509 system.

The backup restore obviously at least partially succeeded, as the hostname was correctly set, and both NICs have the correct IPs.

However, when I racked it and turned it on at the datacenter today, I could not log into the console with my root password. I also tried 'loginuser', which also failed.

I connected my laptop directly to eth1 (LAN), and the laptop did get an IP, but it cannot seem to connect to webadmin.

I tried restoring the backup from the USB stick again, but still cannot log in.

I un-racked it and it's in my trunk for now; I will work on it more later this week.

Any recommendations are appreciated; and I am willing to perform some tests if anyone wants.
Otherwise, I will try the following:
a. reset the root and login user passwords via webadmin on 7.509, and make a new backup file and try restoring that

b. boot into runlevel 1 from grub and change the password.

Then I will try to figure out what's going on with webadmin.

Thanks,
Barry

Exchange hinter UTM

August 12, 2013, 3:57 am

≫ Next: SMB/NetBios Broadcasts SSL VPN

≪ Previous: [9.106] problems with backup import, passwords, etc.

$

0

0

Hallo,

ich muss eine UTM einrichten. Hinter der UTM ist ein Exchange Server und dieser ist per SMTP erreichbar aus dem Netz. Welche Einstellungen muss ich da speziell bei dem Reiter Mailsecurity treffen. Hab leider zuvor noch keinen Exchange hinter einer UTM gehabt.

Danke und Gruß

SMB/NetBios Broadcasts SSL VPN

August 12, 2013, 4:57 am

≫ Next: Skype und die UTM

≪ Previous: Exchange hinter UTM

$

0

0

Hey guys, its probably a simple Question.

I travel arround at my customers quiet a bit and I use my laptop at their sites. So I'm always connected to our Network by SSL VPN with Auto Firewall Rule enabled.

So today one of my customers complained that he is seeing all of our Windows/Samba Servers and Workstations when he browses his Windows Network. So I connected to one of his servers and checked, its true.

How come my Laptop forwards those packets, probably broadcasts? So the Question is: How can I surpress this, I still want to be able to use SMB Filesharing.

---

Skype und die UTM

August 12, 2013, 5:08 am

≫ Next: Quartalsreport über alle blockierten Angriffe?

≪ Previous: SMB/NetBios Broadcasts SSL VPN

$

0

0

Hallo,

wir haben die UTM 9 und wollen einem Client Skype erlauben und der Rest darf aber nicht. In der UTM gibt es die Application-Control-Regel für Skype, die Skype erstmal komplett für alle blockt. Wir haben eine neue Application-Control-Regel in der Reihenfolge davor angelegt, dort darf nur der PC Skype. (siehe Datei)
Aber trotzdem wird der Client geblockt. (siehe Datei) Ich kann mich nicht anmelden.

Dann habe ich versucht, so wie es häufig geraten wird, SOCKS einzurichten.
Die Konfiguration habe ich in Screenshots festgehalten.
Benötige ich für SOCKS noch eine Firewall-Regel, die für den Client den Port 33033 öffnet? Ich habe eine gemacht, die erstmal alles vom Client aus durchlässt.
Jedenfalls kann ich mich trotzdem nicht am Skype anmelden. Über beide Varianten nicht.

Wenn ich die Application-Control-Regel deaktiviere, quasi den Filter ausschalte, dann funktioniert die Verbindung.

Wir wollen aber nicht für das ganze Netz Skype erlauben, sondern nur für einen Client/Benutzer.

Was mache ich falsch? Kann mir jemand helfen? :confused:

Danke Katrin

Attached Images

	Application-Control-Log.jpg (80.5 KB)
	Application-Control-Regel.jpg (25.4 KB)
	Firewall-Regel.jpg (21.4 KB)
	Skype-Konfig.jpg (41.9 KB)
	UTM-SOCKS-Konfiguration.jpg (21.0 KB)

Quartalsreport über alle blockierten Angriffe?

August 12, 2013, 5:19 am

≫ Next: Share files between wireless and wired clients

≪ Previous: Skype und die UTM

$

0

0

Hallo zusammen,

wie bereits im Titel erwähnt würde ich gerne - möglichst automatisch - einen Report aller blockierten Angriffe über jeweils ein Quartal (3 Monate) erzeugen lassen. Als Angriffe zähle ich alles was das IPS entdeckt, alle geblockten E-Mails (hier wäre eine Aufschlüsselung nach Gründen gut), durch den Webfilter blockierte Inhalte usw.
Dazu sollte der Bericht möglichst wenig "überflüssige" Informationen - also alles, was nicht als Angriff/Bedrohung gewertet wird - enthalten.

Leider habe ich einen solchen Bericht nicht finden können. Über die SUM kann ich zwar für einzelne Kategorien Reports erzeugen, aber von automatisch als pdf-Datei mailen bin ich da leider weit entfernt.

Besonders gut wäre es, wenn dieser Report auch direkt mehrere Cluster einbeziehen würde, das ist aber nur die Kirsche auf der Sahne, für den Fall das es geht - wenn nicht, ist auch nicht schlimm, dann gibt es eben mehrere Reports.

Gibt es irgendeine Möglichkeit das hinzubekommen?

P.S.: Die Cluster laufen in Version 9.0, das SUM in Version 4.

Share files between wireless and wired clients

August 12, 2013, 5:40 am

≫ Next: Failover MX-Scenario

≪ Previous: Quartalsreport über alle blockierten Angriffe?

$

0

0

One other quick question... and forgive me if my technical ignorance translates into a stupid question... but I've got one wireless access point working (Sophos AP 30) and my internal network. Both seem to be configured correctly and can connect to the Internet. However, because (I presume) they are different subnets (172.16.xx.xx for the AP and 192.168.yy.yy for the internal network), the hosts cant communicate with one another. Do I want to keep it this way (segregated) for security purposes? Whats the best way to share files between wireless and wired clients? I've got Windows 2012 Server running with DNS working fine, but haven't configured AD yet - pretty sure i can get that working but not certain that it will help if 2 sets of hosts are in different subnets... appreciate any direction you can offer. Cheers!

Failover MX-Scenario

August 12, 2013, 7:24 am

≫ Next: UTM 9 + Hyper-v

≪ Previous: Share files between wireless and wired clients

$

0

0

Hello
I am currently thinking about implementing a fallback scenario for our mail-server.

Currently we are using two uplinks with static addresses. One is used for mail (via Multipath rule). The MX record points to an A record which resolves to this static address.

What I now want is the following:
mydomain.de MX 1 mail1.mydomain.de
MX 10 mail2.mydomain.de

mail1.mydomain.de A <IP of main line>
mail2.mydomain.de A <IP of faillback line>

The fallback line is configured for standby, so its down while the other line is up. If I understand MX-records correctly, this config would ALWAYS refer to mail1.mydomain.de unless mail1.mydomain.de is unreachable right?

So that would be a working Failover scenario that would also make sure that my domain doesn't get blacklisted due to wrong sender address right?

Thanks for you guys double-checking

UTM 9 + Hyper-v

August 12, 2013, 8:31 am

≫ Next: Firewall Rules Not taking Affect

≪ Previous: Failover MX-Scenario

$

0

0

Sophos UTM with Hyper-v

I am trying to create a isolated Hyper-V network within a working network while still retaining access to the internet.

I am using Server 2012 & Hyper-v Along with Sophos UTM 9. (I want to try out the web filtering part.)

What I have got working so far:
• The server has 4 x Ethernet ports.
• Port 3 is connected to a switch on the existing infrastructure with a static IP, which is solely use for the Host computer.
• Port 4 is used as a External virtual Switch.
• There is a Private virtual switch for the VM’s.
• Sophos does the mapping from the External switch to the private switch keeping the traffic from the existing network out of the Hyper-v setup.

The above works well.
I want to attach some Physical computers to the Hyper-v network to test some GPO and other domain related stuff.
My thoughts were to:
• Attach a cable from port 1 of the server to a physical switch
• Add another Nic to the Sophos UTM & call it Lan-Physical
• Map the Lan-Physical to the Private nic
• This would enable Lan-Physical to get a DHCP address from the server on Private & all internet traffic would be sent via external.

Is it possible to do this? If so how can I get it working Or is there an easier way than what I am trying to do?

Az

Firewall Rules Not taking Affect

August 12, 2013, 9:18 am

≫ Next: SSL VPN and DNS Resolution

≪ Previous: UTM 9 + Hyper-v

$

0

0

Here is the setup:

UTM220 (Tagging VLAN's 50-51,55 on eth0)
HP ProCurve V1910-48GB (Tagging VLAN's 50-51,55 on Gi1/0/48)

For testing purposes I put one port on the switch on VLAN50 and one on VLAN51. You are unable to ping from VLAN51, but you can access the web interface of anything on the VLAN50 network. The gateways for each network is the UTM firewall.

I even created a rule and placed it at the top as follows: VLAN51 > Any > VLAN50 > Reject. I logged the traffic for that packet filter, but when I open the live log I don't see anything. My feeling is that it's going through the switch and not even hitting the firewall. I don't want the switch to do an ACL's because the V1910 serious (from what I read) can be kind of a pain when doing ACL's.

On the switch there is only one VLAN interface for VLAN50 and not for 51,55.

Any ideas?

Basically, all I want is the VLAN51 network to have SMB capabilities when the new file server goes online and that's it to the VLAN50 network.

SSL VPN and DNS Resolution

August 12, 2013, 9:42 am

≫ Next: AP30 - UTM9 - Wireless Broadcast

≪ Previous: Firewall Rules Not taking Affect

$

0

0

Running Sophos UTM 9.103-5
Behind firewall am running a Windows Home Server 2011 with DNS role enabled
Windows7x64 client laptop running Sophos x86 open-vpn client 2.0.0.0
Internal network 192.168.10.0/24
SSL VPN Ip Pool: 192.168.100.128/28

I have two SSL tunnel profiles activated on my UTM
One with a gateway and the other local networks defined only

When connected to the profile with gateway network the remote access runs fine with all of my internal network devices (homeserver.myssldomain.com, xbmc.myssldomain.com, zoneminder.myssldomain.com) being resolved to the internal network ip addresses and everything pinging properly to the internal IP's.

When I connected via the split tunnel profile (no internet access across the VPN tunnel), internal name resolution to myssldomain.com ip devices is lost and defaults to the public dns entries for myssldomain.com. I CAN ping all internal IP's so the tunnel works and if I do an NSLOOKUP designating the internal homeserver.myssldomain.com DNS server DNS resolution is correct so the DNS service is not being blocked by any firewalls.

On my Windows7x64 installation, an ipconfig /all shows the following:

Code:

---

Windows IP Configuration

  Host Name . . . . . . . . . . . . : MYLAPTOP
  Primary Dns Suffix  . . . . . . . :
  Node Type . . . . . . . . . . . . : Broadcast
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : companynetwork.com
                                      myssldomain.com

Ethernet adapter Local Area Connection:

  Connection-specific DNS Suffix  . : companynetwork.com
  Description . . . . . . . . . . . : Targus Giga Ethernet
  Physical Address. . . . . . . . . : 00-01-02-03-04-05
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : aaaa::bbbb:cccc:dddd:f75a%35(Preferred)
  IPv4 Address. . . . . . . . . . . : 10.10.99.100(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : Monday, August 12, 2013 8:28:47 AM
  Lease Expires . . . . . . . . . . : Monday, August 12, 2013 11:58:47 AM
  Default Gateway . . . . . . . . . : 10.10.99.1
  DHCP Server . . . . . . . . . . . : 10.10.99.1
  DHCPv6 IAID . . . . . . . . . . . : 285233334
  DHCPv6 Client DUID. . . . . . . . : 00-01-02-03-04-05-06-07-08-09-0A-0B-0C-0D
  DNS Servers . . . . . . . . . . . : 10.10.99.1
  NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter OpenSSLVPN:

  Connection-specific DNS Suffix  . : myssldomain.com
  Description . . . . . . . . . . . : Sophos SSL VPN Adapter
  Physical Address. . . . . . . . . : 00-AA-BB-CC-DD-EE
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : dddd::cccc:bbbb:aaaa:70eb%17(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.10.134(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.252
  Lease Obtained. . . . . . . . . . : Monday, August 12, 2013 8:33:09 AM
  Lease Expires . . . . . . . . . . : Tuesday, August 12, 2014 11:01:03 AM
  Default Gateway . . . . . . . . . :
  DHCP Server . . . . . . . . . . . : 192.168.10.133
  DHCPv6 IAID . . . . . . . . . . . : 419495790
  DHCPv6 Client DUID. . . . . . . . : 0D-0C-0B-0A-09-08-07-06-05-04-03-02-01-00
  DNS Servers . . . . . . . . . . . : 192.168.100.253
  Primary WINS Server . . . . . . . : 192.168.100.253
  NetBIOS over Tcpip. . . . . . . . : Enabled

---

Please note that the VPN DNS server is resolving correctly. I am not running in any kind of an Active Directory network at my company (I am beind another Sophos UTM running DHCP and DNS on the UTM). I think this is some kind of an optijon missing on the SSL VPN client.

Any suggestions on troubleshooting would be helpful.

---

AP30 - UTM9 - Wireless Broadcast

August 12, 2013, 10:25 am

≫ Next: [9.103][BUG] Grant Read-Only Access unchecked on Auditor and ReadOnly Roles

≪ Previous: SSL VPN and DNS Resolution

$

0

0

I have a UTM9 appliance, i have the static route of 1.2.3.4 255.255.255.255 10.1.1.1 (Gateway appliance IP) configured in my router.
I can ping the AP
I can trace 1.2.3.4 which arrives at the gateway appliance, however the Access Point never registers with the appliance.

[9.103][BUG] Grant Read-Only Access unchecked on Auditor and ReadOnly Roles

August 12, 2013, 5:39 pm

≫ Next: [9.006] Auditor-role user cannot change own password

≪ Previous: AP30 - UTM9 - Wireless Broadcast

$

0

0

1. Under Management->WebAdmin->Access Control, the "Grant Read-Only Access" checkbox is unchecked.

2. If I add a user to ONE role and check the box and save, then BOTH roles now have it checked.

#2 seems like it could be a browser cache or session-state bug

I didn't test #1 to see what would happen if I leave it unchecked, but now I can't test it as they're checked now.

Barry

[9.006] Auditor-role user cannot change own password

August 12, 2013, 5:42 pm

≫ Next: Failed to read certificate

≪ Previous: [9.103][BUG] Grant Read-Only Access unchecked on Auditor and ReadOnly Roles

$

0

0

Hi,
An Auditor-role user cannot change their own password via WebAdmin.

User portal does allow it.

Barry

Failed to read certificate

August 12, 2013, 6:59 pm

≫ Next: 2. öffentlicher WAN IP Bereiche einbinden

≪ Previous: [9.006] Auditor-role user cannot change own password

$

0

0

Getting youtube certificate error

https://www.youtube.com connection is untrusted

Log is filled with a lot of the entries listed below.

httpproxy[6741]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_log" file="scr_scanner.c" line="1126" message="2nd colon found in domain with no username"

httpproxy[6741]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xa5f49e0" function="ssl_cert_read" file="ssl.c" line="182" message="certificate invalid, removing"

httpproxy[6741]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xa5f49e0" function="ssl_certcache_lookup" file="ssl.c" line="472" message="failed to read certificate: Invalid argument"

httpproxy[6741]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_handle_cmd" file="scr_scanner.c" line="507" message="cffs07.astaro.com: write: Connection refused"

2. öffentlicher WAN IP Bereiche einbinden

August 12, 2013, 11:12 pm

≫ Next: Installation Problem / PC + VM

≪ Previous: Failed to read certificate

$

0

0

Hallo zusammen,

wir haben von unserem Provider einen weitern Öffentliche IP Bereich zugewiesen bekommen.

Beide bereiche werden vom gleichen Provider Router bereitgestellt.

Ich frage mich nun wie ich am besten den 2 IP Bereich in der UTM einbinde.

Im selben IP bereich macht man das ja über additional adress. Der 2. IP Bereich hat natürlich ein anderes Gateway was hier nicht zu hinterlegen ist.

Gruß

SchmiP