Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

Allow one URL streaming from youtube.

December 3, 2013, 5:24 am
$
0
0
Hello everyone

Im here to post the next problem, i need to know how i can allow this URL and permit the streaming:

CLC Atrévete a preguntar - YouTube

I have an exception with this sintaxis:

http://.*.youtube.com/.*embed/iEVSg_Tmne8?
http://.*.youtube.com/videoplayback
http://.*.youtube.com/crossdomain

With this i can allow the URL and denied the rest but i cant play the streaming. i block the category Streaming too but if i allow that says that allow all the youtube domain streaming.



When i analize the web filtering live log i have the next enter:


2013:12:03-10:48:15 astaro-1 httpproxy[918]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="10.10.1.102" dstip="" user="" statuscode="403" cached="0" profile="REF_HttProPrueba2 (Prueba Youtube)" filteraction="REF_HttCffPruebYoutu (Pruebas youtube)" size="3430" request="0x2519f4d8" url="http://www.youtube.com/get_video_info?width=1366&sts=16031&video_id=iEVSg _Tmne8&el=embedded&hl=es_MX&height=577&asv=3&eurl= undefined" exceptions="" error="" reason="category" category="147" reputation="trusted" categoryname="Streaming Media"



I need permit just the streaming from that URL.


Waiting fo your early reply


Best Regards


;)




P.D: sorry for my english :(
Search

What is the right approach to use a second WAN for a DMZ

December 3, 2013, 6:01 am
$
0
0
I have 2 WAN.
I have 2 internal network (one internal, one DMZ).

For a total of 4 NICs.

What feature should I used to route all DMZ traffic to WAN2 and all WAN2 traffic to DMZ?

I have tried with the policy routing but I ended up losing all access to my sophosUtm.. (Had to revert config at the console).

Thanks.

[9.105-9] CISCO VPN-Client with AD-Groups

December 3, 2013, 6:14 am
$
0
0
Hi,
i used SSL-VPN for the remote Notebooks. I configure a AD group for allowed users.
Now we get new mobile devices and i need to configure CISCO VPN-Client.
But i can´t set a Group from the AD, only local groups can used. Is this normal or a bug?
As workarround i used the user object (also sync from AD).

http://www.heise.de/ct Games not allowed

December 3, 2013, 7:06 am
$
0
0
Content blocked

While trying to retrieve the URL:Magazin für Computertechnik | c't

The content is blocked due to the following condition: The URL you have requested is blocked by Surf Protection. If you think this is wrong, please contact your administrator.

Report: Games not allowed.


:confused: crazy :confused:

cloned UTM no SUM connection

December 3, 2013, 7:22 am
$
0
0
Hi,

I cloned a virtual UTM 9.107. Now I want to connect the orginal and the cloned version to a SUM, but somehow it is one that is connected or the other. I suspect that the UTM has an ID (like an GUID in Windows) somewhere, it is using to connect to the SUM. Is there anyway to reset this ID to something else?

Or can someone tell me what the SUM sees as an Unique ID to accept it as a new device?

Beta Update 9.180: Release and Download Information

December 3, 2013, 7:35 am
$
0
0
Hi.

We just released Beta update 9.180. It contains a lot of fixes for bugs reported in the Beta.

We also offer a new update package from 9.106 directly to 9.180.

Note: Mesh AP Update Problem

We fixed the problem that you needed to connect all your Mesh APs to the UTM by cable once to update them from 9.10X to 9.2 Beta. Sadly this means that if you have Mesh APs and update from 9.171 to 9.180 they will not be updated and need to be connected by cable to the UTM to update. This is because we reverted back to the 9.1 behavior which is incompatible with the one present in 9.17X. On the other hand this means that updating from 9.106 to 9.180 should work without problems now.


Fixed Issues
  • [23950] Wildcard Domains for SMTP Routing (Regression)
  • [26640] Not possible to activate more than 62 virtual webserver
  • [26699] Fix Rewriting of Cookies (HTML Rewriting)
  • [27848] DynDNS: Add support for STRATO AG, No-IP.com, selfHOST & DNSdynamic
  • [28922] Generate one time password for spx-auth basic authentication.
  • [29113] [BETA] Change 'Scan HTTPS (SSL) Traffic' to be a radio button
  • [29144] [BETA] Sophos Advanced Threat Adaptive Learning causes confusion
  • [29182] [BETA] "System was restarted - Reason: (unknown)" in Notification on Slave node in up2date case
  • [29264] [BETA] Aua fails to fetch the confd user object
  • [29325] [BETA] [Wifi]: debug lvl 7 output in all debug levles
  • [29354] [Update Rule:] SSL VPN routes are not distributed correctly over OSPF
  • [29371] [BETA] p0f is using 100% cpu
  • [29398] [BETA] logging of backend-authenticated user in hotspot.log is missing
  • [29404] [BETA] ips does not run correctly in 9.170-15.1
  • [29440] [BETA] Endpoint: One single notification is not enough and is confusing
  • [29444] [BETA] ProxyPass not working correctly for form-based login/logout paths
  • [29451] [BETA] Parent Proxy Displays Password
  • [29481] [Beta] Webadmin dies if you enable SPX and no REF_DefaultInternal is available
  • [29505] [BETA] issues with warning message for plaintext vhosts with reverse authentication
  • [29509] [BETA] Rev. Auth.: valid user session though timeout expired
  • [29512] [BETA] Rev. Auth.: issues with changing user object
  • [29532] [BETA] Web report dropdown contains 'Browse Time By User' report
  • [29533] [BETA] Date range does not get preserved when running pre-canned report
  • [29553] [BETA] rrdgraphs fallout fixing
  • [29557] [BETA] change order of authentication profile display
  • [29606] [BETA] Rev. Auth. form-based: reauthentication not possible
  • [29613] [BETA] Update does not work for DynDNS account type no-IP
  • [29698] [BETA] Rev. Auth.: session timeout and lifetime must not be zero

Download Information

ASG ISO for Software/Virtual appliance installation:
ftp://ftp.astaro.de/pub/UTM/v9/beta/asg-9.180-21.1.iso
ISO size................: 583M (611549184 bytes)
ISO md5sum..............: 1ef2b95479392b9ee4008ebd3e51c709
ISO sha1sum.............: a0d729edc3016d957579f10562eae3fbbd1c7582

SSI ISO for Hardware appliance installation:
ftp://ftp.astaro.de/pub/UTM/v9/beta/ssi-9.180-21.1.iso
ISO size................: 586M (614199296 bytes)
ISO md5sum..............: 4ff5763dbeac70d33692631327c36f0d
ISO sha1sum.............: 37467fc9de2d85da656403e7790f98279d1bf734

Up2Date package (for update from 9.171):
ftp://ftp.astaro.de/pub/UTM/v9/beta/...180021.tgz.gpg
U2D size................: 141M (147778537 bytes)
U2D md5sum..............: 6806a1fc9bb0c0f331844c528e74eb82
U2D sha1sum.............: 3c962660b30b21289a0465f6aa1e2afab520171b

Up2Date package (for update from 9.106):
ftp://ftp.astaro.de/pub/UTM/v9/beta/...180021.tgz.gpg
U2D size................: 285M (299198512 bytes)
U2D md5sum..............: c7b2418df4b4302d6430fbc44c8c424e
U2D sha1sum.............: 73e27a6cc8034679cc2701aa8019be8972a7aa4d

Please note that the Up2date package will also be distributed over the Up2Date server, so your appliance should usually download the package by itself.

UTM blocking youtube for no apparent reason

December 3, 2013, 7:58 am
$
0
0
Hello there, I have an issue that I am unable to solve.

Everything works fine except that I am unable to browse youtube.
I cannot even ping it from behind the UTM.
I tried turning everything off, IPS, web filtering, application rules...And nothing seem to solve the problem.
I know youtube is reachable and browsable when I connect directly through my ISP modem.

My setup is a follow:
ISP router -> UTM latest (installed on an HP proliant server) -> swtich -> some router -> My PC.

What have I been missing?

Thank you in advance.

Best regards

Android Apps

December 3, 2013, 8:46 am
$
0
0
Hello i do not see this posted anywhere so here goes.
currently running Astaro Home Version 9.106-17.
problem is that with our android phones i have noticed that we do not get updates from our apps when connected to the wireless at home. (Linksys EA6500 in bridge mode) dhcp is from astaro.

i have 2 wireless networks at home. the one connected to astaro will not send Facebook updates or WordFeud updates (when its your turn to play a word).
if i am connected to the other wifi (another internet connection no firewall testing only for me :>) i get alerts. when i am on 4g i get alerts. when i am on any other wifi i get alerts. so i know its something in astaro but i am unsure what needs unblocked if its something in IPS or what.
currently not at home so cannot test but i can access the web gui so i can provide any info needed.
Search

[9.180][BUG] Log Partition graph in dashbord is monthly where others are daily

December 3, 2013, 9:04 am
$
0
0
This has probably been around since beginning of beta but in the dashboard view the Log Partition graph is in monthly format where as the others are in Daily format. I am not sure if this is expected behavior but I thought it was meant to be the same as the other graphs.

UTM Cluster auf Vmware Partition voll

December 3, 2013, 12:56 pm
$
0
0
Hallo,

wir haben 2 virtuelle Sophos UTM Cluster im Active/Active Mode laufen. Beide Systeme laufen auf einem Vmware ESXi 5.1 Cluster. Leider laufen die virtuellen Partitionen jetzt voll. Kann ich eine Maschine aus dem Cluster nehmen und dann mit größerer Partition neuinstallieren und dann wieder im Cluster zusammen schalten? Danach das selbe mit der anderen Maschine? Problem ist, dass über die Systeme die ganze Firma läuft und ein abschalten zum neuinstallieren, nicht ganz so einfach ist.

Danke schon mal für eure Antworten.

[9.180-21][open] Hyper-V drivers

December 3, 2013, 1:18 pm
$
0
0
Hi all,

I've succesfully updated my ha System to V9.180-21. The updated Hyper-V drivers work. but this is not the actual version. I will test the new version but for production we need actual drivers. Following events are generated on my hyper-v host:

Networking driver in ASG node2 loaded but has a different version from the server. Server version 4.0 Client version 3.2 (Virtual machine ID 87226988-5A1D-46DE-A604-6D3517D524B2). The device will work, but this is an unsupported configuration. This means that technical support will not be provided until this problem is resolved. To fix this problem, upgrade the integration services. To upgrade, connect to the virtual machine and select Insert Integration Services Setup Disk from the Action menu.

A storage device in 'ASG node2' loaded but has a different version from the server. Server version 5.1 Client version 4.2 (Virtual machine ID 84444988-5A1D-46DE-A604-6D3514D524B2). The device will work, but this is an unsupported configuration. This means that technical support will not be provided until this problem is resolved. To fix this problem, upgrade the integration services. To upgrade, connect to the virtual machine and select Insert Integration Services Setup Disk from the Action menu.

please, implement the actual drivers.

first issue:
Failed services in runlevel 3: httpd

this occurs at every start like all versions before

regards
mod

issue with active/standby HA

December 4, 2013, 1:18 am
$
0
0
Hi,
I have 2 ASG320 in cluster, one of them has failed and our supplier replaced it with a new one preconfigured. The active device don't see the standby:
http://imageshack.com/a/img707/4762/5imi.jpg
Do you have any idea on how fix the problem?
There is a steb by step procedure to configure HA in active/passive mode?

Thanks

Red 10 Split Mode / NAT

December 4, 2013, 2:46 am
$
0
0
Hello.
In our mainoffice (8MBit up/down) we have a UTM120 installed. we have a small office that is connected via a Red 10 device using unified mode. Behind the Red 10 there is a Webcam connected. We can access the Webcam via internal IP or the internet through the UTM 120 (external IP) where we have a Nat rule to the Webcams IP. Until now that works great.

Now we have a new cable connection with 30Mbit´s at our small office.
We want to send the normal internet traffic directly to the internet at the small office, but still use the external access to the Webcam from our Mainoffice.
This seems not to work in split mode. The internal access works correctly for all devices including the Webcam. Only from external there seems to be a problem.

Any ideas?

Difficult static Routes

December 4, 2013, 3:04 am
$
0
0
Hi,

w've got a real difficult routing problem (i know how to handle but the sophos utm, don't do it)

We've got 2 External Interfaces (not multipath - just two VLANs (1 and 2)). One Interface got the Net 82.211.0.x/24 the other got the net 84.200.2.x/24.
On the other side we also got two internal network-devices (also diefferent vlans (1 and 2)) and on this networkdevices are many subnets configured.

What we do is, configureing the firewall to route the traffic to the internal servers.

Now the main problem:
if server A is in VLAN1 and is masqueraded to 82.211.0.9 sometime it happens that the server isn't accessible from the Internet. What i figured out is, that the traffic is not put throught the extenal interface which has got the 82.211.x vlan. After a few minutes the traffic is routed again through the correct interface and the server is accessible again.


What i did to get this work is setting up a static route and route all traffic from server A to the external-interface it has to go. But. If i do this, the server a isn't accessible from internal network anymore. I setup a new roule to route all traffic from server a to internal networks on the internal-interface but nothing changed. Server is still not accessible from the internal network till i disable the first route.

ASG8 FullNAT issue

December 4, 2013, 3:35 am
$
0
0
Hello all,

I need a 2nd pair of eyes while working on a NAT issue.

Two headquarters (lets call them A+B) are connected with a leased line, at end B we have an ASG8.

Interfaces:
Code:
LOCAL  on eth0 [192.168.180.1/24]
UPLINK on eth4 [192.168.190.6/24]
To connect to several services from B to A I have a static gateway route in place:

Code:
GROUP_Networks_A -> Gateway Firewall_Network_A [192.168.190.1]
To connect from A to B we addressed directly, so ASG8 knew to distribute this to LOCAL on eth0. If basically a client in A wanted to connect to 192.168.180.100 he used 192.168.180.100.

So far so good.

Due to some regulatoric changes now new connections from A to B are send to UPLINK to eth4, but with a new net: 10.7.0.0/16. The idea behind this: Requests to 10.7.0.100 should be NATted to 192.168.0.100.

To archieve this, I've added an additional address on ETH4:
Code:
10.7.0.1/24 on interface UPLINK
Then I've tried setting up a FullNAT to accomplish the goal:

Code:
Traffic Source: Any
Traffic Serice: Any
Traffic Destination 10.7.0.100
NAT mode: Full NAT
Destination: 192.168.180.100
Destination Service: (unchanged)
Source: UPLINK (address)
Source Service: (unchanged)
+ Log initial packets and Automatic firewall rules active.
The Firewall log shows two entries for the TCP requests:

Code:
12:26:27 Connection using NAT - TCP 10.2.173.6 -> 10.7.0.100:80 / len=60, ttl=59, tos=0x00 / srcmac=5c:5e:ab:e6:e:8d / dstmac=0:1b:21:be:b9:99
12:26:27 Connection using NAT - TCP 10.2.173.6 -> 192.168.180.100:80 / len=60, ttl=58 , tos=0x00 / srcmac=0:1b:21:be:b8:a8
...but the traffic doesn't show up on the destination server.

I guess I'm missing something, any clues?

Thank you in advance.
Search

NTP Server Grundeinstellungen

December 4, 2013, 3:45 am
$
0
0
Hallo!

Ich habe eine UTM 9.1 auf einen herkömmlichen PC für den Privaten Einsatz als Home Version laufen.

Das Netzwerk ist per RED 10 mit meinen Eltern und per L2TP über Ipsec mit einem Verwandten verbunden.

Ich möchte jetzt über die UTM die Zeit auf allen PC synchronisieren. Also dass die PCs an der RED und der PC über Ipsec die Zeit von der UTM erhalten.

Jetzt ist mir nur aufgefallen, dass ich auf der UTM unter "Netzwerkdienste" den Punkt "NTP" habe und beim Punkt "DHCP" unter "Optionen" auch einen "NTP" Server aktivieren bzw. deaktivieren kann.

Welcher der beiden Optionen muss ich jetzt wie konfigurieren?
Oder reicht eine der beiden aus?

Derzeit habe ich beide Optionen aktiviert und habe bei den DHCP Optionen die UTM als "Time Server" eingetragen"

L.G.
fireb

RED 10 NetBios

December 4, 2013, 5:00 am
$
0
0
Hallo!

Soeben habe ich in meinem Firewall Log gesehen, dass meine PCs, welche über eine RED10 mit dem Netzwerk verbunden sind, über Port 137 (NetBios) auf die RED anfragen senden, welche allerdings mit der Begründung "STANDARD-VERWERFEN" "blockiert" werden.

Auch werden Anfragen an die UTM aus dem Internen Netz über diesen Port blockiert.
Normal ist das Normalerweise nicht, oder?

Könnt Ihr mir sagen, was ich da konfigurieren muss, damit die Anfragen bearbeitet werden?

L.G.
fireb

Compress SSL VPN traffic works really great!!

December 4, 2013, 6:14 am
$
0
0
Just by incident I just found out how amazing the SSL VPN compression works and thought I would share this with you all:

I had just connected my laptop through a 100Mbps switch connection to the UTM. When running a speedtest on this connection i got a 81Mbps downstream, which I think is pretty okay considering there's also some overhead in the IP-protocol.
Then I connected (from inside and just to test some things) the same laptop with remote SSL and also wanted to see what the impact was on the speedtest. I thought it would be lower but in reality with the SSL VPN connected (still through a 100 Mbps switch connection) I got a 120Mbps downstream, a 50% increase and even higher throughput than my physical connection!

Web protection report showing computernames not usernames

December 4, 2013, 6:55 am
$
0
0
Hello,

We have a UTM working with SSO to Active Directory. Users are browsing via the proxy; authentication is working. However, some sessions are being reported as DOMAIN\username, and others DOMAIN\Computername.

We would like all sessions to report the username; is this possible?

Thanks

Adrian

Attached Images
File Type: png sophos1.png (22.2 KB)

IPv6 autoconfg no default gateway

December 4, 2013, 7:19 am
$
0
0
Hi,

ASG120
Firmware: 9.106-17

from time to time my IPv6 connection isn't working. I get native IPv6 support from my provider with a /48 prefix that I divide into different nets, but that's a different topic.

What happens when I provide public IPs to my computers on my linux client this is my default route:
::/0 :: !n -1 1 2831 lo
which of course don't lead me into the IPv6 Internet. Some other times I actually get a link local gateway for ::/0 but so far I was not able to reproduce, when.

Currently I deactivated the advertisment of the ULA prefix on the same net because I thought this could be the cause, but it obviously isn't.

Could someone please lead me into the correct direction?!

Thank you!

Code:
#
# radvd configuration generated by radvdump 1.9.1
# based on Router Advertisement from fe80::2ea:8a:fe12:9108
# received by interface brlan
#

interface brlan
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag off;
        AdvOtherConfigFlag on;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference high;
        AdvSourceLLAddress on;

        prefix 2a42:fa0:22:10::/64
        {
                AdvValidLifetime 2592000;
                AdvPreferredLifetime 604800;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition


        RDNSS 2a42:fa0:22:10::1
        {
                AdvRDNSSLifetime 600;
        }; # End of RDNSS definition


        RDNSS 2a42:fa0:22:10::8:107
        {
                AdvRDNSSLifetime 600;
        }; # End of RDNSS definition


        DNSSL myverypersonalcompany.lan
        {
                AdvDNSSLLifetime 600;
        }; # End of DNSSL definition

}; # End of interface definition
Viewing all 14361 articles
Browse latest View live
Search