hi
why my utm 120(9.203) dont show log for web filtering?
thanks
why my utm 120(9.203) dont show log for web filtering?
thanks
↧
dont show live log
↧
Remote Desktop Services Servers and Sophos Endpoint
I installed Sophos Endpoint protection in my Remote Desktop Services environment. Immediately I noticed that my Gateway server was not connecting to my Connection Broker Server. On the Gateway server that manages collections and other servers the RDM (Remote Desktop Management) Service was stopped. When I tried to manually start it would temporarily start and then stop again. I uninstalled Endpoint protection and the service automatically starts and I can establish a connection to my Connection Broker and all my collections come up.
I think Sophos Endpoint needs to have a more robust exclusion section. I only see a section to exclude files/drives from scans. However, I think it should have an exclusion for the real-time scan engine. I switched from Symantec Endpoint and now I basically cannot use Sophos Endpoint on my servers.
I think Sophos Endpoint needs to have a more robust exclusion section. I only see a section to exclude files/drives from scans. However, I think it should have an exclusion for the real-time scan engine. I switched from Symantec Endpoint and now I basically cannot use Sophos Endpoint on my servers.
↧
↧
WAF + Reverse Authentication + AD + Require Password Change
Hi,
we use the WAF together with the reverse authentication with exchange 2013 to secure our OWA login.
Normally, when we reset passwords for our employees, we check the "require password change on next login" box. When the login would happend against OWA directly, the user is able to logon and than can change his password within the OWA.
However it seems like the reverse auth denies the logon alltogether, when the mentioned checkbox is activated. This leads to the situation, where the user cannot logon at all to process the required password change.
What is the best practice to overcome this problem? Unfortunately we have alot of freelancers which do not have a company connected client, which they could use to change their password. They have to use the OWA.
Thanks for any help on this topic!
Philipp
we use the WAF together with the reverse authentication with exchange 2013 to secure our OWA login.
Normally, when we reset passwords for our employees, we check the "require password change on next login" box. When the login would happend against OWA directly, the user is able to logon and than can change his password within the OWA.
However it seems like the reverse auth denies the logon alltogether, when the mentioned checkbox is activated. This leads to the situation, where the user cannot logon at all to process the required password change.
What is the best practice to overcome this problem? Unfortunately we have alot of freelancers which do not have a company connected client, which they could use to change their password. They have to use the OWA.
Thanks for any help on this topic!
Philipp
↧
UTM seems to be blocking other Sophos software
I'm using Windows 7 with the integrated Sophos antivirus products.
I see the following in the web log:
Clearly as you can see all of the exceptions, an attempt to allow this traffic was made but is failing.
Can someone help me understand the following:
1. What this traffic is
2. How to fix this.
Given the 'Host Not Found' it seems the software needs to be updated as a host has changed remotely at Sophos. At first glance it looks like a network problem, an outage or a rookie error at Sophos.
Much thanks in advance.
I see the following in the web log:
Code:
2014:07:06-13:19:44 ravenna httpproxy[32330]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.1.2.3" dstip="" user="" statuscode="502" cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)" filteraction="REF_xtQVuVVAPc (Doug)" size="2642" request="0x296a4660" url="http://http.00.s.sophosxl.net/V3/01/nqqbaf.zbmvyyn.bet.w/" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size" error="Host not found"Clearly as you can see all of the exceptions, an attempt to allow this traffic was made but is failing.
Can someone help me understand the following:
1. What this traffic is
2. How to fix this.
Given the 'Host Not Found' it seems the software needs to be updated as a host has changed remotely at Sophos. At first glance it looks like a network problem, an outage or a rookie error at Sophos.
Much thanks in advance.
↧
Who maintains Sophos's Web Filter Categorization?
I have administered both Palo Alto and Fortigate, and have extensively used their web filtering components. I implemented the Sophos Web Filtering at home, and had a few questions. I was hoping that someone with more familarity with the UTM could help shed some light.
1. Who maintains Sophos's Web Filter Categorization?
2. How can we get new site categorized, or exisiting categorization modified?
3. Is there a way to enter a site, and see what Sophos has it categorized as?
With both Palo Alto and Fortinet, they had their own internal database, which was cool. You could enter a URL to see its category. If the site was miscategorized, you could submit it for review and update.
Any input would be greatly appreciated.
- Ton
1. Who maintains Sophos's Web Filter Categorization?
2. How can we get new site categorized, or exisiting categorization modified?
3. Is there a way to enter a site, and see what Sophos has it categorized as?
With both Palo Alto and Fortinet, they had their own internal database, which was cool. You could enter a URL to see its category. If the site was miscategorized, you could submit it for review and update.
Any input would be greatly appreciated.
- Ton
↧
↧
problem:Cisco VPN Client via TACACS+ users
Under Remote Access -> Cisco VPN Client -> Server Settings .I am trying to add the TACACS+ group to the Users and Groups panel in order to let this group reaching a specified network. However when I click on the browse icon and pull the TACACS+ group to Users and Groups panel it does not allow me to add it.
Is there any reason why Sophos does not allow me to choose TACACS+ group ?
(note: TACACS+ is configured on Sophos and working fine)
Thanks,
Is there any reason why Sophos does not allow me to choose TACACS+ group ?
(note: TACACS+ is configured on Sophos and working fine)
Thanks,
↧
How can I use SSL/TLS with Perfect Forward Secrecy
How can I enable PFS (Perfect Forward Secrecy) in addition to TLS for Mail Service?
↧
SNMP blocked/drop
Not sure what is going on but i have enabled snmp monitoring for internal use, created firewall rule that mentions
Source: internal network
Service: snmp
dest: any
allow
and it still drops ?
Source: internal network
Service: snmp
dest: any
allow
and it still drops ?
↧
Endpoint Web Control
Hallo liebes Forum,
ich habe jetzt Testweise einen Laptop mit der Enpoint Protection ausgestattet.
Hier habe ich die Enpoint Web Control aktiviert.
Standartmäßig darf der Benutzer nur auf Whitelist-Seiten.
Wenn ich "Enpoint Web Control" aktiviere, kommt der Benutzer auf fast alle Seiten. (Außer **** usw.) Die Whiteliste-Regeln wird umgangen !?
Wie kann ich dies ändern?:confused:
Besten Dank
ich habe jetzt Testweise einen Laptop mit der Enpoint Protection ausgestattet.
Hier habe ich die Enpoint Web Control aktiviert.
Standartmäßig darf der Benutzer nur auf Whitelist-Seiten.
Wenn ich "Enpoint Web Control" aktiviere, kommt der Benutzer auf fast alle Seiten. (Außer **** usw.) Die Whiteliste-Regeln wird umgangen !?
Wie kann ich dies ändern?:confused:
Besten Dank
↧
↧
One Line URL P0rn Spam
Running 9.203-3 with the following RBL's enabled:
Any ideas on how to block this at the UTM?
TIA
- drone.abuse.ch
- bl.spamcop.net
- zen.spamhaus.org
- b.barracudacentral.org
- dul.dnsbl.sorbs.net
Any ideas on how to block this at the UTM?
TIA
↧
Sophos UTM 9.2 - WAF und Exchange 2010/2013
Hi zusammen,
ich wollte mal nachfragen, ob jemand seinen (primär) Exchange 2013 via WAF gesichert hat.
Also nicht nur OWA, sondern ActiveSync, Outlook Anywhere etc.
So, wie es hier beschrieben ist, geht es nicht:
How to configure the UTM Web Application Firewall for Microsoft Exchange connectivity
Owa funktioniert (teilweise), aber leider stehen nicht alle Funktionen zur Verfügung.
Autodiscover funktioniert garnicht, ohne Autodiscover dann ständige RPC Tunnel Fehler im Log (RPC_IN_DATA, RPC_OUT_DATA). Outlook stellt keine Verbindung her. Somit funktioniert natürlich Outlook Anywhere nicht. Ist exakt so konfiguriert, wie in der Anleitung :confused:
Mal davon abgesehen, dass diese Anleitung nicht für die 9.2 ist, sondern für 9.1.
Ich würde ja nicht so nerven, wenn Sophos nicht leider ein sehr starkes TMG Replacement Marketing macht. Daher wäre eine aktuelle Anleitung echt klasse!
Außerdem gibt es hier noch einen Known Issue:
Also aktuell funktioniert es leider nicht so, wie ich es mir wünschen würde.
Ich musste mir bis Dato nie so die Zähne an der UTM Funktion ausbeißen, wie bei der WAF und Exchange!
Wenn jemand hier Tipps bzw. eine lauffähige Umgebung hat, dann würde ich und sicherlich diverse andere über Tipps/Anleitungen/Anpassungen freuen.
Nice greetings
ich wollte mal nachfragen, ob jemand seinen (primär) Exchange 2013 via WAF gesichert hat.
Also nicht nur OWA, sondern ActiveSync, Outlook Anywhere etc.
So, wie es hier beschrieben ist, geht es nicht:
How to configure the UTM Web Application Firewall for Microsoft Exchange connectivity
Owa funktioniert (teilweise), aber leider stehen nicht alle Funktionen zur Verfügung.
Autodiscover funktioniert garnicht, ohne Autodiscover dann ständige RPC Tunnel Fehler im Log (RPC_IN_DATA, RPC_OUT_DATA). Outlook stellt keine Verbindung her. Somit funktioniert natürlich Outlook Anywhere nicht. Ist exakt so konfiguriert, wie in der Anleitung :confused:
Mal davon abgesehen, dass diese Anleitung nicht für die 9.2 ist, sondern für 9.1.
Ich würde ja nicht so nerven, wenn Sophos nicht leider ein sehr starkes TMG Replacement Marketing macht. Daher wäre eine aktuelle Anleitung echt klasse!
Außerdem gibt es hier noch einen Known Issue:
Quote:
|
ID29957 9.150 Exchange 2013 OA and OWA didn't work with WAF (9.2) ------------------------------------------------------------------------ Description: Workaround: Fixed in: |
Ich musste mir bis Dato nie so die Zähne an der UTM Funktion ausbeißen, wie bei der WAF und Exchange!
Wenn jemand hier Tipps bzw. eine lauffähige Umgebung hat, dann würde ich und sicherlich diverse andere über Tipps/Anleitungen/Anpassungen freuen.
Nice greetings
↧
WAF - RDS Gateway publication with reverse authentication
Hello,
I need to replace a TMG with RSA securid authentication, this TMG publish an RDS Gateway 2012.
I use this usefull document:
https://www.winsec.nl/2014/01/15/pub...tion-firewall/
In my scenario, I want to use reverse authentication included in 9.203.
I access without problem on RD Gateway portal, but when i click the RDP link, the connection to RDS server is impossible.
Has someone try to do this publication with Sophos WAF and reverse authentication ?
Regards,
Eric
I need to replace a TMG with RSA securid authentication, this TMG publish an RDS Gateway 2012.
I use this usefull document:
https://www.winsec.nl/2014/01/15/pub...tion-firewall/
In my scenario, I want to use reverse authentication included in 9.203.
I access without problem on RD Gateway portal, but when i click the RDP link, the connection to RDS server is impossible.
Has someone try to do this publication with Sophos WAF and reverse authentication ?
Regards,
Eric
↧
Any plans about clientless SSL-VPN?
Does anybody know smth. about clientless SSL-VPN?
I mean full LAN access, not just some protocols like RDP.
SonicWALL, Cisco, Juniper, F5 Networks does have it. What about Astaro? ;)
Yes, i know, security goals, but it's amazing feature, first of all for non-admin Users.
Regards
Vod
I mean full LAN access, not just some protocols like RDP.
SonicWALL, Cisco, Juniper, F5 Networks does have it. What about Astaro? ;)
Yes, i know, security goals, but it's amazing feature, first of all for non-admin Users.
Regards
Vod
↧
↧
Webserver protection vs Firewall nat rules
I was only successful using the webserver protection option to setup an internal webserver with its own external static ip address. For some reason using various NAT rules/firewall rules I couldn't succeed. Very basic setup, is that the only way to setup webservers?
my example: firewall external ip address xx.***.***.5
webserver via external: xx.***.***.6
used dnat rules to take traffic from any, using http, to external (.6) change dest to internal webserver, service to http
also, noticed that using webserver protection doesn't create any firewall rules?
my example: firewall external ip address xx.***.***.5
webserver via external: xx.***.***.6
used dnat rules to take traffic from any, using http, to external (.6) change dest to internal webserver, service to http
also, noticed that using webserver protection doesn't create any firewall rules?
↧
With 9.2, still can't add more than one Dynamic DNS name
Using Namecheap, I'd like to have multiple domain names point to the single IP address of the UTM. For instance, office.mydomain1.com, office.myotherdomain.com, office.mythirddomain.com, etc. However, in the DynDNS config, if I have more than one name configuration with the same prefix (Office), I get the error: The DynDNS mapping object with the name 'office' already exists.
I believe that in 9.1 and below, this was a limitation of a program (ddclient) that needed a specific update. I was under the impression this might be fixed in 9.2. Can anyone verify? Thanks!
https://www.astaro.org/beta-versions...main-name.html
I believe that in 9.1 and below, this was a limitation of a program (ddclient) that needed a specific update. I was under the impression this might be fixed in 9.2. Can anyone verify? Thanks!
https://www.astaro.org/beta-versions...main-name.html
↧
How to restrict access to reverse-proxy by IP?
I have a number of virtual web servers set up. One of these I want to restrict access to based on IP. I tried putting a deny all rule in the firewall but it doesn't block it. I don't see any rules about port 80/443 in the automatically created firewall rules. How to I restrict access to the virtual web server by IP?
↧
External IP to Internal IP access?
Hi,
I have someone flooding my PBX system. Not sure what they are doing, guessing trying to make free phone calls.
The system is blocking them, but i'm getting strange log reports
Default DROP UDP 108.62.x.x :5103 → 192.168.x.x:5060 len=365 ttl=44 tos=0x00
My question is how are they trying to access the INTERNAL IP of my PBX ? :confused:\
For testing, I have turned off ALL NAT rules and turned off the VOIP helper and the attacker continues to try and access my internal IP.
I have tried setting up a special NAT rule to blackhole them ( 108.62.x.x -> any -> external IP group --NAT --> Blackhole (10.245.x.x) Then set as my first rule NAT rules, and that does not capture the packets.
Any Ideas how they are doing this?
I have someone flooding my PBX system. Not sure what they are doing, guessing trying to make free phone calls.
The system is blocking them, but i'm getting strange log reports
Default DROP UDP 108.62.x.x :5103 → 192.168.x.x:5060 len=365 ttl=44 tos=0x00
My question is how are they trying to access the INTERNAL IP of my PBX ? :confused:\
For testing, I have turned off ALL NAT rules and turned off the VOIP helper and the attacker continues to try and access my internal IP.
I have tried setting up a special NAT rule to blackhole them ( 108.62.x.x -> any -> external IP group --NAT --> Blackhole (10.245.x.x) Then set as my first rule NAT rules, and that does not capture the packets.
Any Ideas how they are doing this?
↧
↧
Advanced Threat Protection False Positive ?
Hello,
Since I've updated UTM to 9.2 and activated Advanced Threat Protection one of out computers is generating alerts all the time. This computer has Sophos Endpoint installed. I've already scanned this PC many times and uninstalled any unneeded software but I keep receiving this alerts. Does anyone have an idea about this?
------------
Advanced Threat Protection
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name....: C2/Generic-A
Details........: C2/Generic-A - Viruses and Spyware - Web Threat, Virus and Spyware Detection and Removal | Sophos - Threat Center - Cloud Antivirus, Endpoint, UTM, Encryption, Mobile, DLP, Server, Web, Wireless Security, Network Storage and Next-Gen Firewall Solutio
Time...........: 2014-07-08 15:40:58
Traffic blocked: yes
Internal source IP address or host: XX.XX.XX.XX
--
System Uptime : 13 days 15 hours 5 minutes
System Load : 1.25
System Version : Sophos UTM 9.203-3
Please refer to the manual for detailed instructions.
The send limit for this notification has been reached. No further notifications of this type will be sent during this period.
Since I've updated UTM to 9.2 and activated Advanced Threat Protection one of out computers is generating alerts all the time. This computer has Sophos Endpoint installed. I've already scanned this PC many times and uninstalled any unneeded software but I keep receiving this alerts. Does anyone have an idea about this?
------------
Advanced Threat Protection
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name....: C2/Generic-A
Details........: C2/Generic-A - Viruses and Spyware - Web Threat, Virus and Spyware Detection and Removal | Sophos - Threat Center - Cloud Antivirus, Endpoint, UTM, Encryption, Mobile, DLP, Server, Web, Wireless Security, Network Storage and Next-Gen Firewall Solutio
Time...........: 2014-07-08 15:40:58
Traffic blocked: yes
Internal source IP address or host: XX.XX.XX.XX
--
System Uptime : 13 days 15 hours 5 minutes
System Load : 1.25
System Version : Sophos UTM 9.203-3
Please refer to the manual for detailed instructions.
The send limit for this notification has been reached. No further notifications of this type will be sent during this period.
↧
Reporting
Hi,
New to this UTM but have used others previously like Untangle.
I installed primarily to get a proxy up and running to report on gateway usage but I'm not sure if this free product provides the granularity I require.
I have it setup and working with an allow all <> rule and it is giving me some reporting on a coupe of hosts I;ve manually configured to use as the gateway.
Does anybody have a quick answer on if more granular reporting is available with a one off licence without me having to go through Sophos themselves.
Boom Boom
BB
New to this UTM but have used others previously like Untangle.
I installed primarily to get a proxy up and running to report on gateway usage but I'm not sure if this free product provides the granularity I require.
I have it setup and working with an allow all <> rule and it is giving me some reporting on a coupe of hosts I;ve manually configured to use as the gateway.
Does anybody have a quick answer on if more granular reporting is available with a one off licence without me having to go through Sophos themselves.
Boom Boom
BB
↧
[S] Hat jemand eine ASG110/120 Rev.3 abzugeben?
Hallo Forum,
ich suche oben genannte Appliance für den privaten Gebrauch. Ich habe bereits eine virtuelle Astaro/UTM 9 (Home-Use-Lic) in der VMWare laufen, möchte aber nun doch Richtung Blech gehen. Die Angebote im Netz sind doch sehr dünn oder weit außerhalb des privaten Budgets.
Wenn einer von Euch evtl. privat oder als Firma die ASG 110/120 R.3 für "schmales Geld" abgeben möchte, gebt mir bitte Bescheid. Dellen und Kratzer sind mir egal, wenn die Kiste technisch in Ordnung ist.
Danke Euch.
Matthias
[Falls eine Firma keine Einnahmen verbuchen kann, spende ich den Betrag an ein genannte Organisation oder sende ein Dankeschön als Gutschein :D.
ich suche oben genannte Appliance für den privaten Gebrauch. Ich habe bereits eine virtuelle Astaro/UTM 9 (Home-Use-Lic) in der VMWare laufen, möchte aber nun doch Richtung Blech gehen. Die Angebote im Netz sind doch sehr dünn oder weit außerhalb des privaten Budgets.
Wenn einer von Euch evtl. privat oder als Firma die ASG 110/120 R.3 für "schmales Geld" abgeben möchte, gebt mir bitte Bescheid. Dellen und Kratzer sind mir egal, wenn die Kiste technisch in Ordnung ist.
Danke Euch.
Matthias
[Falls eine Firma keine Einnahmen verbuchen kann, spende ich den Betrag an ein genannte Organisation oder sende ein Dankeschön als Gutschein :D.
↧