Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

Cannot search for 'SNAT' on NAT page

August 30, 2013, 10:52 am
Search

How to create an SSL VPN Server certificate manually

August 30, 2013, 11:27 am
$
0
0
Hi, for some reason, my X509 server certificate was corrupted so I had to delete it from the server.

Can someone detail the steps to manually create a new certificate? In particular, I do not know what to select in the drop down list of options to replace the automatically created certificate.

Thanks in advance.

Shun

How to handle proxy settings for multi site/firewall network and a traveling user

August 30, 2013, 12:16 pm
$
0
0
I'm looking for a good way to handle proxy settings when a user moves between locations. Assume the following:

User: Joe

Site 1: UTM 220 with Web Protection
Joe's primary office

Site 2: UTM 120 with Web Protection
Joe visits this site occasionally and may bring his own laptop or use an on-site device.
  • Site 1 and 2 are connected with site to site VPN.
  • Machines at Site 1 and Site 2 are on the same domain.
  • Joe's proxy settings are controlled via GPO and currently points to the site 1 firewall as the proxy.
  • Most users have a static location, and there is a GPO for users at site 1 and a gpo for users at site 2 setting their proxy respectively.

The problem is I don't want Joe to have to change his proxy settings manually each time he logs in at site 2, and I don't want all his web traffic to have to jump across the vpn, otherwise it defeats the purpose of having web protection on the firewall at site 2. I'd need to have a dynamic way of setting his proxy appropriately depending on his location.

Here are a few suggestions I've come across and not exactly ideal.
  • Multiple domain accounts - I do not want users to have to keep track of multiple domain accounts
  • Control proxy via DHCP scope - Works unless the machine has a static IP. I.E. Joe is an IT staff member and is logging onto a server.

Allowing Programs to access the internet

August 30, 2013, 2:20 pm
$
0
0
Hi Everyone,
I was wondering if someone could assist me in trying to understand why this is being blocked, or where I can search to find it and allow it.

Background:
If I got to a website forxit.com and download their reader, the website changes to the Sopho's download page and it downloads the files all is good.

Now in some cases the website changes to Sophos download page, sometimes it doesn't for example it does for Adobe, and I'm assuming due to the generic exclusion that is already created.

How if I use a update program ninite.com it also goes (At this is what they told me) to the same website via http and downloads the files, however it Receive an error. Content lengths does not match: 1315, which I'm told is cause by a blocking device, firewall, proxy etc.

Now if I disable or allow full access to that specific PC, everything works fine, so it would tell me that the proxy is blocking it. However, when I look up Logs, I see the foxit website, both are the same, the only issue is that the proxy approves myself, will not for the programs as user" " is blank... I use the program to update clients PCs.

Proxy is setup as Transparent, with WebProtect profiles for Employees.

Thoughts would be greatly appreciated.

Suite-B Encryption RFC6379 - Suite-B-GCM-128 / Suite-B-GCM-256

August 30, 2013, 2:28 pm
$
0
0
Does anyone have experience configuring IPSec to match the Suite B Cryptographic Suites for IPSec per RFC 6379?

If so what are your experiences compared to the built in AES-128 / AES-256 policies? Were performance issues noted, any connection problems?

RFC 6379 - Suite B Cryptographic Suites for IPsec

3.1. Suite "Suite-B-GCM-128"

This suite provides ESP integrity protection and confidentiality
using 128-bit AES-GCM (see [RFC4106]). This suite or the following
suite should be used when ESP integrity protection and encryption are
both needed.

ESP:
Encryption AES with 128-bit keys and 16-octet Integrity
Check Value (ICV) in GCM mode [RFC4106]
Integrity NULL

IKEv2:
Encryption AES with 128-bit keys in CBC mode
[RFC3602]
Pseudo-random function HMAC-SHA-256 [RFC4868]
Integrity HMAC-SHA-256-128 [RFC4868]
Diffie-Hellman group 256-bit random ECP group [RFC5903]

3.2. Suite "Suite-B-GCM-256"

This suite provides ESP integrity protection and confidentiality
using 256-bit AES-GCM (see [RFC4106]). This suite or the preceding
suite should be used when ESP integrity protection and encryption are
both needed.

ESP:
Encryption AES with 256-bit keys and 16-octet ICV in GCM mode
[RFC4106]
Integrity NULL

IKEv2:
Encryption AES with 256-bit keys in CBC mode
[RFC3602]
Pseudo-random function HMAC-SHA-384 [RFC4868]
Integrity HMAC-SHA-384-192 [RFC4868]
Diffie-Hellman group 384-bit random ECP group [RFC5903]

Downloading Policy Editor

August 30, 2013, 3:10 pm
$
0
0
We purchased Safeguard Easy & need to download the Policy Editor. Where do I find the download link?

Thanks!

can't reach webserver running on different port

August 31, 2013, 2:25 am
$
0
0
I have 2 webservers (with their own internal IP) behind 1 public IP.
The first one is IIS for OWA, the 2nd one is an Apache webserver where people login to for an internal application. I have it listening on port 800.
I made a html redirect from http://webserver2.company.com to http://webserver2.company.com:800 so they don't have to know the port.
I have a hosts entry for webserver2.company.com that points to the internal IP
I can reach http://webserver2.company.com:800 just fine internally, but not from the outside.

Here's how I set up Astaro V7:
- networks: webserver2 192.168.100.18
- services: HTTP 800 TCP 1:65535 → 800
- packet filter: Any webserver2 HTTP 800 ALLOW
- DNAT: Any → HTTP 800 → Extern (Address)
Destination translation: webserver2


Problem is that I can't reach the webserver from the outside.
I need this up and running on monday, so I'd very much appreciate any help with this.

Plex Media Server on NAS

August 31, 2013, 8:08 am
$
0
0
I have got a media server who isn't working properly and in forums of the Plex Media server several posts point to firewall issues.
The server is working half, it is not pulling in coverart and several other things are not working properly.
I want to set up Sophos UTM9 9.105-9 so that the traffic from my NAS running the Plex Media server can work properly, do i need NAT rules or masquerading set up?
Search

Strange problem Skydrive

August 31, 2013, 10:09 am
$
0
0
My skydrive is continuously trying to update some added files (they were added from another location).
So say I added files from location A and I'm now at location B.

Location B is trying to sync the local skydrive with the cloud version but not everything is syncing and skydrive tries continuously.

In the firewall log I see a lot of packages coming from a Microsoft server port 443 going to my External WAN address at some high port number.

I just unchecked scan HTTPS traffic and now all of a sudden all files are synced. I didn't think of checking which file was missing (it was only 1 file that didn't sync while several others did succesfully sync).

It seems that something was blocking this 1 file due to scan HTTPS.

Is this a known issue or can I somehow get around this?

Mal/Iframe-Y blocking on bulletin boards

August 31, 2013, 11:54 am
$
0
0
I hope I'm posting this in the correct subforum. Please let me know if not.

I'm having a problem (in fact all Sophos users are) accessing the forums at MTG Salvation Forums

I'm getting this error when I try to click on the first page of a given thread:



Now there have been many ways to discover work-arounds to this -- namely to add a non-number character after the thread URL (for example, if the thread ends in ...=19437 you could put something like '...=19437a' and it would load properly. This isn't the only forum that Sophos has blocked in the last year. http://forum.rpg.net/forum.php has also experienced some Sophos-only related blocking, although it's been a while, and I don't remember what it was blocking then.

The moderators at MTGSalvation don't know what's causing this or how to fix it. I'm hoping someone here will have an answer.

Eratic speed tests results

August 31, 2013, 12:19 pm
$
0
0
To try and clarify the problem:

We are a film production studio and I have an astaro 220 ver 7.513 setup for inhouse needs and for semi-public access by our clients and guests. AT&T 20meg fiber connection. My speed tests are very erratic.

Test Results range from:
ping= 9 to 25 ms
4 to 18 mps down
4 to 15 mps upload.

Clients that connect through the astaro complain that their browsing experience is to slow when just reading emails or general surfing, etc. When I test the network with speedtest.net I will get results within minutes of each other that vary the entire range of the above test results

I use SSL VPN to access the 3 Security dvr's onsite.

I am not that versed in the configuration but hope that by posting my configuration someone can detect if the inconsistent broadband speed tests are due to some improper rules.

Even if I upgrade to V8 would the current rules be a reason for my problem?

Thanks in advance.

Attached Images
File Type: jpg dashboard.jpg (102.8 KB)
File Type: jpg rules.jpg (95.7 KB)

URL Filtering: Additional URLs/sites to block

August 31, 2013, 3:40 pm
$
0
0
I'm having trouble figuring out how to use this new method of allowing or blocking websites found on Web Filtering > URL Filtering > Additional URLs/sites to block.

In order to test whether I had it working correctly, I decided to try to block a site I really like. According to the documentation "you have to enter the entire domain name, including e.g. www."

So here is how I tried to block the site:
1. Clicked the + to Add a new rule.
2. Named the profile, and typed in (without quotes) "www.example.com"
3. Clicked Save
4. Clicked Apply

I then went to browse to that website and lo and behold - no blocking occurred. So I thought, perhaps I'm misreading something. So I then changed the rule to list "http://www.example.com" instead of just "www.example.com" and it still refused to block.

What am I doing wrong? This used to work before they added the regex patterns and now I can't figure out why it doesn't work. Tried searching the forum but couldn't find anything so I decided to post.

Can anyone help me with this?

Thanks in advance,

Jonathan

NOTE: I'm running firmware version: 9.105-9

Having trouble with initial install

August 31, 2013, 3:42 pm
$
0
0
Hello,

I am trying to set up Sophos UTM 9.1 as a VM on Windows Server 2012. Though I am having an issue. First off here is my configuration.

Windows Server 2012 (No GUI) with 3 NICs. One nic serves as the management on a separate address (192.168.1.x). My other two nics are for the firewall an external (10.0.0.x) and internal network (192.168.0.x). I know the configuration works as I am currently running Threat Management Gateway w/ Exchange Edge 2010.

I created a VM and Hard drive for Sophos. 4 GB RAM, 80 GB Hard Drive, and have Internal as the first NIC and External as the second NIC on the Hyper-V Management Page.

I downloaded asg-9.103-5.1.iso and put it on a flash drive and set the DVD drive for the Sophos Machine as that. I got through the setup and selected eth0 as the webadmin NIC. I set the webadmin address as 192.168.0.3 mask 255.255.0.0. I proceded with the install and reboot. The machine then told me to login to https://192.168.0.3:4444 for the webadmin.

Mind you this is the first time I am trying to work with Sophos UTM, so I have been following this page as a guide (Building a Home Network - Part 3 Firewall VM | Existential Tech - IT Infrastructure Blog). From a laptop inside the network I enter the address and am greated "There is a problem with the website's security certificate." I hit continue and am greated with a page could not be displayed. How do I progress further?

Thank You,

Michael R. Mastro II

Schneinbar Fehlerhafte Antwortpackte

September 1, 2013, 10:20 am
$
0
0
Hi Leute,

ich habe seit dem vorletzten Update der UTM9 ein unerklärliches Phänomen.

Antwortpakte werden schlichteinfach verworfen [ACK RST].
Die Pakete gehören zur Antwort einer Webseite. Richtig lustig finde ich, das die dazugehörige .com Sweite korrekt angezeigt wird, nur die dann weitergeleitete .de verworfen/blockiert wird.

Ich weiss was das für Pakete sind die dort verworfen werden, ich weiss nur nicht wieso!

Selbst eine Regel die alles erlaubt verwirft diese Paktet mit dem Verweis "Standart-Verwerfen".

Ich habe nirgends eine Automatische Regel erstellt, kann mir dieses Verhalten aber nicht erklären.

Hat diesbeüglich schon jemand ähnliche Erfahrungen gemacht oder kann mir jemand an sich weiterhelfen. Ich scheine gerade den Wald vor lauter Bäumen nicht zu sehn.

PS: die Webseite habe ich von Zwei unterschiedlichen Standorten ausgeführt und auf beiden das Selbe, die UTM verwirft die Paktet, eine alternative Firewall lässt sie passieren.

Strato DynDns

September 1, 2013, 10:40 am
$
0
0
Hallo zusammen,

das Dyn ja Free Accounts nicht mehr wirklich anbietet und ich vergessen hab mich in der Zeit dort einzuloggen habe ich im Moment keinen DynDns Anbeiter mehr. JEtzt wollte ich gerne Strato, wo ich eh schon meine Domain hab, als DynDns anbieter nutzen. Hat da jemand erfahrungen? Mir wird immer angezeigt das ich etweder Passwort oder Benutzer falsch angebe.

Gruß
Search

Tip: put any in Local Networks for Remote access

September 1, 2013, 11:02 am
$
0
0
I found this tip and wonder why I hadn't thought about that myself.
When you put any in Local Networks, all traffic is sent to your UTM when someone is remotely connected to it.
Of course you will need to add the VPN pool to your Masquerading list, and possibly also the Webfiltering and DNS lists and I would also make sure not to use auto Firewall rules if you don't want these inbound connections to be able to reach anything reachable from your UTM.

But by defining any, you can be certain that all traffic is sent over the encrypted VPN link, especially at places where you are using public free wifi hotspots which are often open networks and therefore the traffic in these networks is not encrypted (many passwords will be sent unencrypted over the air).

Another benefit is that any potential MITM malware can not easily "phone home".

Help - stumped - can't access some sites ... not sure where to look

September 1, 2013, 12:05 pm
$
0
0
I have home astro

- Two interfaces - cable & dsl
- multipath enabled... most routes out cable, but some traffic (voip) out dsl
- using NAT
- most everything is turned off: intrusion prevention, etc
- I have added an "any -> any > Internet" rule. Even tried any->any->any.

This has all worked for a long time...

Recently... I cannot get to some sites (discussions.apple.com, app store, etc) for example from any of my internal machines. But if I pull the cable connection to my astaro box, then I can get to all the sites.

The strange part. I have cloned my laptop mac address into the astaro for seamless switching. When I plug the laptop directly into the cable modem I can get to these sites.

I recently replaced my cable modem with a purchased modem to avoid cable lease fees. But I think the cable is fine as I can access via the laptop connected.

I also recently updated to 9.1

Where should I look? I see nothing interesting in the firewall log, except occasional "default dropped" of traffic from apple servers.

openSuSE Linux Updates very slow

September 1, 2013, 12:14 pm
$
0
0
Hello all

I'm fairly new to to using Sophos, but am quite happy with it so far. I am currently running Release 9.105-9 on a dedicated PC.

I've just recently run into an issue where my main desktop is having trouble updating. The updates themselves are completing, but are downloading very slowly. This never happened before I installed the Sophos device.

I checked the firewall, and as soon as my desktop went online, the firewall went crazy blocking attempts to connect to it. I've attached the live log, and you'll see hundreds of attempts to connect to my desktop (.1.108) from many various sources.

I've tried looking up some of the IP's and am unable to safely validate many of them.

Can anyone shed some light on this?

Thanks!

Attached Files
File Type: txt firewall.txt (19.2 KB)

IPS Rule List

September 1, 2013, 2:31 pm
$
0
0
Hi All,

I have a question for you guys, is there any place where I can find all the IPS rules and the meaning of each attack?

I have tried on Snort search, but some rule id are not there also, such as 23246.
I tried this link also, Index of /lists, but Ips rules pages are not working.

I know I can find the attack from Network protection overview, but I am using UTM Manager, so I don't want to connect to each Appliance.

Thank you.

WebAdmin quits working after changing authentication methods

September 1, 2013, 7:03 pm
$
0
0
I recently was starting to test out SSO on my home network. I got everything set up and is working like it should. The only thing is, I can't access WebAdmin if using Google Chrome and IE10. If I use FireFox (which doesn't have it's proxy settings changed) I can get to it fine. When trying from those two browsers I get "Connection timed out" and the Sophos splash page.

SSL traffic via the Internet works fine just seems like internal IP's.
Viewing all 14361 articles
Browse latest View live
Search