Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

Figuring Out a Client'sOutbound HTTP Traffic

$
0
0
Hi All,

Yesterday, I had a client whose outbound HTTP traffic was over 300MB according to the Top Services By Client report. When I look at Top Applications by Client is shows that 250MB of outbound traffic were to Rapleaf. After researching, it seems they are a major player in the web user tracking and selling info game. I have isolated the time window based on a few other reports. Also, we screen capture all of our clients, so I was able to go back and replay her desktop session during this time, and the only thing of note she had open was a page from 123greetings.com. As expected, during this window there was lots of download traffic for all of the embedded video ads and content. But how do I track where the HTTP outbound traffic was going? My gut tells me that the Radleaf classification is not correct. When I look at the server oriented reports, they all show total bandwidth and don't break it down by in and out. Any ideas?

Thanks!

Can't see where rules are used (blue circled i)

$
0
0
Each time I click on a blue circled i - usage info, (from any page), I receive the error below. What is going on?

Can't use string ("0") as an ARRAY ref while "strict refs" in use at /wfe/asg/modules/asg_misc.pm line 692.

MAC Address Definitions

$
0
0
Not Static Definitions, but the "MAC Address Definitions" under "Network Definitions" (right tab)... After creating a MAC Address Definition list, will using that definition from the drop down choice in a packet filter rule stop unauthorized use of the packet filter rule?

Or are the "MAC Address Definitions" only intended for wireless filtering?

[9.206] Boot.log

$
0
0
Hi all

I found this in the boot.log after updating to 9.206 today
database (connect): could not connect to server: No such file or directory

<notice -- Sep 10 10:47:04.396145000> httpd start
:: Starting WebAdmin2014:09:10-10:47:05 fmaster [daemon:info] count_active_ip[3893]: count_active_ip: checking active IP addresses
2014:09:10-10:47:05 fmaster [daemon:info] count_active_ip[3893]: Home use or NTT OEM license detected
2014:09:10-10:47:05 fmaster [daemon:crit] count_active_ip[3893]: database (connect): could not connect to server: No such file or directory
2014:09:10-10:47:05 fmaster [daemon:crit] count_active_ip[3893]: Is the server running locally and accepting
2014:09:10-10:47:05 fmaster [daemon:crit] count_active_ip[3893]: connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
2014:09:10-10:47:06 fmaster [daemon:info] notifier[3864]: loading config version 0
failed
<notice -- Sep 10 10:47:17.929043000> 'httpd start' exits with status 1

Regards

Mark

[9.206] Fatal Errors kernal.log

$
0
0
Hi all
I found this in the kernal.log after updating to 9.206 today
FATAL: Error inserting padlock_sha

2014:09:10-10:45:15 fmaster kernel: [129617.919273] EXT4-fs (sda1): re-mounted. Opts: (null)
2014:09:10-10:45:23 fmaster kernel: [129626.247956] EXT4-fs (sda1): re-mounted. Opts: (null)
2014:09:10-10:46:07 fmaster modprobe: FATAL: Could not load /lib/modules/3.8.13.15-122.g6171857-smp64/modules.dep: No such file or directory
2014:09:10-10:46:07 fmaster modprobe: FATAL: Could not load /lib/modules/3.8.13.15-122.g6171857-smp64/modules.dep: No such file or directory
2014:09:10-10:46:07 fmaster modprobe: FATAL: Could not load /lib/modules/3.8.13.15-122.g6171857-smp64/modules.dep: No such file or directory
2014:09:10-10:46:07 fmaster modprobe: FATAL: Could not load /lib/modules/3.8.13.15-122.g6171857-smp64/modules.dep: No such file or directory
2014:09:10-10:46:08 fmaster modprobe: FATAL: Could not load /lib/modules/3.8.13.15-122.g6171857-smp64/modules.dep: No such file or directory
2014:09:10-10:46:08 fmaster modprobe: FATAL: Could not load /lib/modules/3.8.13.15-122.g6171857-smp64/modules.dep: No such file or directory
2014:09:10-10:46:08 fmaster modprobe: FATAL: Could not load /lib/modules/3.8.13.15-122.g6171857-smp64/modules.dep: No such file or directory
2014:09:10-10:47:49 fmaster kernel: [ 77.179306] u32 classifier
2014:09:10-10:47:49 fmaster kernel: [ 77.179309] input device check on
2014:09:10-10:47:49 fmaster kernel: [ 77.179310] Actions configured
2014:09:10-10:47:49 fmaster kernel: [ 77.180238] Mirror/redirect action on
2014:09:10-10:48:02 fmaster kernel: [ 89.734602] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
2014:09:10-10:48:02 fmaster kernel: [ 89.734604] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
2014:09:10-10:48:09 fmaster kernel: [ 97.134277] NET: Registered protocol family 15
2014:09:10-10:48:10 fmaster kernel: [ 97.681717] Initializing XFRM netlink socket
2014:09:10-10:48:11 fmaster kernel: [ 98.721587] sha1_ssse3: Using SSSE3 optimized SHA-1 implementation
2014:09:10-10:48:11 fmaster modprobe: FATAL: Error inserting padlock_sha (/lib/modules/3.8.13.27-0.173454012.g3d22934-smp64/kernel/drivers/crypto/padlock-sha.ko): No such device
2014:09:10-10:48:11 fmaster modprobe: FATAL: Error inserting padlock_sha (/lib/modules/3.8.13.27-0.173454012.g3d22934-smp64/kernel/drivers/crypto/padlock-sha.ko): No such device
2014:09:10-10:48:11 fmaster kernel: [ 98.819571] AVX instructions are not detected.
2014:09:10-10:48:11 fmaster kernel: [ 98.968620] AVX instructions are not detected.
2014:09:10-10:48:11 fmaster kernel: [ 99.065035] AVX instructions are not detected.
2014:09:10-10:48:12 fmaster kernel: [ 99.993073] hwinfo: vm86 mode not supported on 64 bit kernel


Regards Mark

How to install on a dedicated server?

$
0
0
Hello folks,

I am brand new to Sophos. I would like to install Sophos for purely vpn purposes on a dedicated server. I have KVM access to my machine.

After installation, how can I access the web configuration from the wan side. After normal installation, I get a command prompt giving me instructions on how to log in via the lan side.

Can I configure the web config on the wan side by using command prompt or do I really need to access it via lan. I don't have access to the LAN side as this is a dedicated machine with wholesaleinternet.com

Thanks in advance folks

cheers

Mobile 4G Office in a Box

$
0
0
Thought I'd share our Mobile 4G Office in a Box setup we use for regional Australia touring.

This is a Mark I setup with the case and we'll probably look to move it into a Pelican case for Mark II.

Gear list:
RED 10
AP 10
Dovado Tiny
Telstra 4G modem (Sierra / Netcomm 320U)


Due to the lack of 4G modem support on the UTM & RED at the moment, we've used a Dovado Tiny router to connect the 4G modem as an ethernet device. The WiFi on the Dovado is disabled and the antenna removed (it just unscrews).

Staff just open the case and remove the board with everything mounted.
They connect the powerboard to a power source, plug in the 4G modem and extend the cable with modem away from AP 10 to minimize interference.

Worked flawlessly for the 6 weeks of the tour.

Things to do:
  • Mark II roadcase - just remove the lid?
  • SOPHOS - 4G modem compat. Remove requirement for Dovado
  • SOPHOS - RED survivability. RED provides internet if no connection to UTM
  • Redundant path home - We have multiple UTM sites. Need to configure things that the RED can try a different path into the Corporate network.

Attached Images
File Type: jpg top.jpg (93.7 KB)
File Type: jpg front.jpg (93.9 KB)

Bind Interface für Site-to-site VPN

$
0
0
Hi,
i use Site-to-site VPN (SSL) and want to bind one (faster) Uplink-Interface for this connection. When this interface goes down, UTM9 should not use the second Interface for VPN. Is this possible?

Regards, Dex

HTML5 VPN Errors

$
0
0
Hi,

i always get the error1 "Session terminated because configuration has been changed" and error2 "PTYSSH[REF_CliConStorage]: Error occured: undefined".

During error1, nothing was changed on sophos side. Following you can find the relevant log entrys,...

Code:

2014:09:10-08:58:10 primary-1 screenmgr[4795]: id="2202" username="***xx" event="Connection stopped" sub="vpn" variant="clv" sys="SecureNet" severity="info" srcip="a.b.c.d" service="HTML5 VPN" type="PTYSSH" sessionid="147" sessionname="serverB"
2014:09:10-08:58:11 primary-1 screenmgr[4795]: Session[137]: Service has stopped with an error: 2
2014:09:10-08:58:11 primary-1 screenmgr[4795]: Client 148: session stopped: 2
2014:09:10-08:58:11 primary-1 screenmgr[4795]: Client 148: connector stopped:
2014:09:10-08:58:11 primary-1 screenmgr[4795]: id="2202" username="***xx" event="Connection stopped" sub="vpn" variant="clv" sys="SecureNet" severity="info" srcip="a.b.c.d" service="HTML5 VPN" type="PTYSSH" sessionid="148" sessionname="serverA"
2014:09:10-09:13:10 primary-1 screenmgr[4795]: Client 147: disconnected: Broken pipe
2014:09:10-09:13:11 primary-1 screenmgr[4795]: Client 148: disconnected: Broken pipe
2014:09:10-09:48:38 primary-1 screenmgr[4795]: Client 149: authenticated: user='***xx'
2014:09:10-09:48:38 primary-1 screenmgr[4795]: Client 149: start screen requested: REF_CliConHeizungsse
2014:09:10-09:48:39 primary-1 screenmgr[4795]: Client 149: connector started
2014:09:10-09:48:39 primary-1 screenmgr[4795]: id="2201" username="***xx" event="Connection started" sub="vpn" variant="clv" sys="SecureNet" severity="info" srcip="a.b.c.d" service="HTML5 VPN" type="VNCRDesktop" sessionid="149" sessionname="test.test.test"

And here are the relevant log entry's for error2:
Code:

2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined
2014:09:10-08:21:37 primary-1 screenmgr[4795]: PTYSSH[REF_CliConStorage]: Error occured: undefined

I'm using Firefox 24.6.0 ESR as HTML5-client on a company computer and in parallel a SSLVPN connection from my private laptop (via the same internet infrastructure) to the same Sophos hardware without any troubles and without any connection losses.

On sophos side i'm using a ISO installation with 9.205-12.

Please can you take a look on it?

Thanks
regards
Herbert

UTM KILLED laptop!

$
0
0
Hi, you read the threat title correctly.

Not sure if anyone has had this happen before but I have had a laptop fried by a sophos UTM (120) I was working on.

I was attempting to reset it's password and held down the power button to restart it and start at step one here (reset all passwords):

Recover access to your Sophos UTM in the event of password loss

Upon pressing and holding the power button, the UTM (which my laptop was connected to via an ethernet cable) turned off and at that exact moment my laptop also switched off (no lock up, no blue screen - just completely turned off whilst on power).

It will now not power back on and removing the battery and bypassing that hasn't fixed it. Seems like the motherboard is fried.

The UTM powered back on and after going through the steps to reset the passwords it will not retain the new root password that is set.

I would like to know, upon proving the UTM is faulty (which it is), if Sophos will provide compensation and how I will go about making this happen?

Speak to sophos directly or go through the distributor/supplier?

Thanks.

Inter-VLAN routing with redundant topology

$
0
0
Good afternoon Sophos Wizards,

We're about to start the implementation of our SG330 into our current topology and we're unable to get through one obstacle. This obstacle is, that we don't know how to configure inter-vlan routing on more than one interface (for sake of redundancy) .

The problem is following: We're able to configure router-on-a-stick approach (http://www.networkstraining.com/imag...on-a-stick.jpg) with one interface. But if you take a look on the picture in the attachment, you see, that we'd prefer to make a inter-vlan routing on two interfaces. All the links (excluding the links from access switches to computers) are trunk in this picture. I'd really appreciate some hints regarding this topic.

Although I lack the experience with sophos configuration, I thought of config, where eth2 and eth3 are bridged, interface br0 is created and virtual VLAN interfaces are then assigned to br0 interface. Please take a look on second picture in attachment, where such config is depicted. On the other hand, I'm unable to figure out, how the STP protocol would behave :confused:, because all the links seem to me like a huge broadcast domain (regardless of the fact, that each VLAN is broadcast domain on its own). I assume, that either of the links eth2 or eth3 would be blocked in order to break physical loop and avoid broadcast storms.

Our current redundant inter-vlan routing is achieved with two Cisco 4500 series L3 switches. Since these L3 switches are able to restrict traffic up to 4th layer, we're thinking of configuration on inter-vlan routing on SOPHOS UTM.

Thank you in advance for any valuable advices, best regards,
SZ

Attached Images
File Type: jpg Dotaz na Sophos forum.jpg (42.3 KB)
File Type: jpg Bridged interfaces.jpg (52.3 KB)

Update flips management interface

$
0
0
Just applied 9.206-35 via the web interface and it seemed to work fine, however when I open the UTM console it now states that the webadmin interface has flipped from the LAN side to the WAN side. I can still access the web interface from the LAN side as well. In my security view is this a huge security issue since at the initial setup it was crystal clear that the LAN interface was going to be the webadmin interface.

In order to ensure that I have done everything I can to properly secure I checked the webadmin access controls and I did find that the "Allowed Networks" was set to "Any". This should never have been a default configuration but the sophos folks might prioritize communication over security. I did proceed to modify this setting to only the LAN network but to my surprise this didn't change the fact that the webadmin interface is accessible from the WAN. I guess communication out ways security at Sophos.

Any real explanations of why this is the case?

Apple Live Stream

$
0
0
Running 9.206-35

I know this is a little late :)

But for anyone using Apple devices did you have to add any sort of rule or exception to be able to view Apple's live stream event. Both Yesterday and the one early this year I was not able to view this from my network and had to resort to watching it on my iPhone over my cell carrier.

As you will be able to tell from my sig this is for a home network and using transparent mode.

TIA

Country Blocking Exceptions

$
0
0
I have a customer who has implemented a pretty extensive geo blocking policy.

They have users who need to access both Skype (https://secure.skype.com) and ICQ (http://login.icq.com). Both are being blocked based on the country rules. I've attempted to add Country Blocking Exceptions for both, but they're still being blocked.

Created DNS Group network definitions for both, then Country Blocking Exceptions lists allowing traffic to all countries going to those two network definitions.

Web Policy Test still shows as blocked.

[9.206-35] httpproxy 100% CPU

$
0
0
The last two mornings the httpproxy process has been pegged out using all the CPU resources. It started around 6am yesterday and around 5am today. No one arrives at our office until 8:30am - 9:00am. Yesterday I ended up just letting Up2Date run and install the latest 9.206-35 firmware (which restarted the UTM and "solved" the problem). Today I didn't want to restart the firewall so I found that I could restart httpproxy with:

sudo /var/mdw/scripts/httpproxy stop
sudo /var/mdw/scripts/httpproxy start

Where do I even start to look? We've been using the same setup/configuration for months. It's been at least 4-5 weeks since anything was even changed on the firewall (and that was just adding some static IPs). Our typical CPU usage (over the last month) is 6.52%

Hardware suggestions for HomeUser firewall

$
0
0
Hello everyone
I have one virtualized UTM running at my current home but I am also planning to have one on a second location I live

Any suggestions for check hardware that does the job?

It should be low energy, 3 NiCs (two would work too using VLAN), silent (WAF required ) and of course support activation off all UTM features (+ future new features), so not too slow.

The WAN connection is 100MBit/s+ down and 6MBit/s+ up.

I'd like the hardware to do the job as quietly and energy efficient as possible

Also I like to test a lot of features and therefore would use most of the features on the UTM

Looking forward to hearing what you guys use at home

Best regards

How can I configure the password length for SPX encryption more than 8 characters for

$
0
0
Hello Sophos UTM SPX Users,

I have a question concerning the standard password length for SPX encryption.

The sophos utm by default generates passwords with a length of 8 characters.

Today, this is insecure, when the attacker uses a brute force method with special GPU computers. (Reference: Crack Me If You Can Contest)
It may be cracked within less than 1 day.

The password length, that I can configure on the first tab „SPX Configuration“ of SPX Encryption is only for user selected passwords.
And I don`t want user selected passwords, because they are typically not the best ones.

So we use the Password Settings / Password type:
"Generated one-time password for every email"

But for this, then the sophos UTM only generates 8 characters long passwords.


Best Regards

Webprotection Probleme

$
0
0
Hallo!

Ich habe 2 Gruppen im AD die sich per SSO und Proxy im Standard Mode anmelden.
Namen der Gruppen sind WWW und Intranet.
Es gibt eine Kategorie Intranet die ich erschaffen habe und die das aufsuchen von Privaten IP zulässt. Die IP der Intranet habe ich über lokale Sites und Überschreiben der Kategorisierung eingetragen.

Unschwer zu erraten ist, die Mitglieder der Gruppe WWW darf ins Internet und die Mitglieder der Gruppe Intranet darf das Intranet aufsuchen.
Nun mein Problem:
Nicht jedes Mitglied der Gruppe WWW darf das Intranet aufrufen und umgekehrt. Aber es gibt Mitglieder die dürfen beides.
Wer jetzt die Filterprofile und die Richtlinien kennt der versteht sicher schon jetzt worauf ich hinaus will.
Ich habe ein Profil in dem es aktuell 2 Richtlinien gibt. 1. Richtlinie Intranet erlaubt rest verboten.
2. Richtlinie Kategorien im WWW erlaubt Intranet verboten.

Funktioniert super wenn ich keine Vermischung von Rechten habe. Jetzt habe ich aber User die dürfen beides. Sowohl Internet als auch Intranet :confused:
Da aber die 1.Regel zieht weil sie sind ja Mitglied der Gruppe Intranet kommen si enicht mehr ins Internet.

Hat jemand eine Idee wie das Problem gelöst werden kann?

Mir fällt nur ein eine 3. AD-Gruppe zu machen aber das wird riesen Aufwand vorallem wenn mal jemand auf die Idee kommt es sollen einzelne User ncoh andere Sachen wechselseitig dürfen oder eben nicht. :eek:

Can a Sophos UTM be used as a VPN Gateway from behind a NAT?

$
0
0
Hello, long time reader, first time poster.

Situation:
I am a Network Administrator for a company and here is a photo of both our MPLS and Internet. https://dl.dropboxusercontent.com/u/...1/IMG_0123.JPG So, naturally we are completely down. This includes our PRI and POTS lines.


Although we use Cisco ASA's at all of our 6 sites, I am a huge UTM fan. I talked my manager into loading a UTM on a PC, and hanging 3 Air Cards on it, and load balancing them. While the stability of the cards leaves room for improvement, it does function.

Next I need to setup 2 VPNs. Site2Site is out because the Air Cards have me behind a NAT. I have used the client/server SSL VPN between 2 UTMs in the past, but this is the only UTM available.

My question is this;
Is there a way to use the UTM as a VPN Gateway to an ASA from behind a NAT?

The ASA's I need to connect to do have client VPNs setup. Not sure if this will solve the issue.

Thank you for taking the time to read this post.

-Matt

Web Application not fully supporting Lync Client

$
0
0
I'm trying to use Lync 2014 behind my UTM (9.206-35)

I've setup a web application rule to allow for Lync.
This does not seem to work.
I cannot join meetings.

If I place firewall rules allowing
  • DNS
  • ICMP ping
  • IPsec - IKE
  • Lync dst (dst ports of 50000:59999)
  • Lync src (src ports of 50000:59999)
  • Terredo
I can get it to work somewhat the net result is that I can connect to voice communictions (meetings et al) but I cannot share my screen (lead meetings).

In essence the Web Application Rules are not working and my work-around is a bit silly and risky and not completely functional.

The one thing that does work is skipping the web proxy entirely for client machines but that's not really a solution.

I've attached bit of the firewall logs when attempting to connect to a meeting.

Am I missing something?

Thanks,

Doug

Attached Images
File Type: jpg lync.jpg (98.1 KB)
Viewing all 14361 articles
Browse latest View live


Latest Images