Web Filter DNS Issue

December 9, 2014, 6:49 am

≪ Previous: SMTP error from remote server after transfer of mail text

Fixed the issue when switching to a bridged interface the default gateway didn't carry over.

httpproxy isn't working seems to be a dns issue.

2014:12:09-07:39:04 utm httpproxy[5374]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x954f000" function="connect_server" file="dns.c" line="1177" message="connect() on AF 2 socket to 175.41.130.207 failed: Network is unreachable"
2014:12:09-07:39:04 utm httpproxy[5374]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xa632800" function="connect_server" file="dns.c" line="1177" message="connect() on AF 2 socket to 175.41.130.207 failed: Network is unreachable"
2014:12:09-07:39:04 utm httpproxy[5374]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xe40a8000" function="connect_server" file="dns.c" line="1177" message="connect() on AF 2 socket to 175.41.130.207 failed: Network is unreachable"
2014:12:09-07:39:04 utm httpproxy[5374]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xe40aa800" function="connect_server" file="dns.c" line="1177" message="connect() on AF 2 socket to 175.41.130.207 failed: Network is unreachable"
2014:12:09-07:39:07 utm URID[4648]: T=4648 ------ 2 - Warning: EARLY TIMEOUT: dns context 0 has 5999 ms before it should time out\n

I can use dns in tools -> dns lookup and get a response
DNS Lookup Result

Trying "google.com"

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47263

;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 1

;; QUESTION SECTION:

;google.com. IN ANY

;; ANSWER SECTION:

google.com. 285 IN AAAA 2607:f8b0:4009:80b::2000

google.com. 2753 IN TXT "v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"

google.com. 86400 IN NS ns1.google.com.

google.com. 86400 IN NS ns2.google.com.

google.com. 86400 IN NS ns4.google.com.

google.com. 86400 IN NS ns3.google.com.

google.com. 257 IN A 216.58.216.96

;; AUTHORITY SECTION:

google.com. 86400 IN NS ns1.google.com.

google.com. 86400 IN NS ns4.google.com.

google.com. 86400 IN NS ns3.google.com.

google.com. 86400 IN NS ns2.google.com.

;; ADDITIONAL SECTION:

ns1.google.com. 86400 IN A 216.239.32.10

Received 304 bytes from 127.0.0.1#53 in 45 ms

The firewall isn't blocking DNS I Checked

I am not sure how to fix this issue any help would be great. The company I work for is evaluating Sophos to replace the Baracuda Web and Email Filters and The Cisco ASA's.

↧

SNMP setup question

December 9, 2014, 6:59 am

≫ Next: Reverse DNS FAILED

≪ Previous: Web Filter DNS Issue

I'm hoping to monitor a UTM425 (especially AP50's) using SNMP sensors on a PRTG Network Monitor server. If someone could point me to information on how to configure the UTM to give PRTG Network access I would be grateful.

On the UTM under Management > SNMP I've selected SNMP v3, added allowed networks, and put in the authentication user name and password. I've got the authentication user name and password on the PRTG server, I've selected SHA authentication and AES encryption and used the authentication password as the encryption key.

When I try to add an SNMP sensor for the UTM on the PRTG server it times out with a "No response" error.

If anyone sees from this where I've gone astray or could point me to detailed instructions I would be very grateful.

I used similar settings to add sensors for some Aerohive AP's yesterday so I think I'm doing things correctly on the PRTG server.

Thanks,

Steve

↧

Reverse DNS FAILED

December 9, 2014, 7:21 am

≫ Next: POP3Proxy, Poodle-Bugfix, TLS1 and TLS1.1 and fetchmail

≪ Previous: SNMP setup question

Hello, This is my first post on the forum so fingers crossed for some help from you folks.

I have recently purchased UTM and i'm on v9.3. I have set us Web filtering, VPN and Webserver protection in my organisation without many issues.

I am totally stuck on the Email protection, our old setup used the Sophos email appliance to filter email and do SPX, this worked without issue.

I now have the UTM set up on a different internet feed and I am transferring services over from one IP range to this new one. I have re-pointed our A record to the new UTM on one of the external public IP addresses. Email does come through eventually but it can take over an hour in some cases.

When I use a tools like MX toolbox it tells me that the 'Reverse DNS fails' and that 'You hung up on us after we connected' when I run the tests.

Now I have run this against the old Sophos Email Appliance and the tests mainly come back as all OK so I don't think its anything to do with the way I have configured my DNS records.

Any Ideas why?

↧

POP3Proxy, Poodle-Bugfix, TLS1 and TLS1.1 and fetchmail

December 9, 2014, 8:26 am

≫ Next: TLS Fehler bei Zustellung

≪ Previous: Reverse DNS FAILED

Hi,

I'm a linux admin using fetchmail on a local server to get emails via the pop3proxy of my sophos UTM 9.

We all know there is the infamous poodle-bug and sslv3 should not be used anymore.

Sophos has released a "bugfix" for this to make pop3proxy not using sslv3 anymore. But here is the catch. pop3proxy most likely uses openssl for connecting and though we don't want to use sslv3 anymore, TLS 1 and TLS 1.1 are still welcome and save to use. These, TLS 1 and TLS 1.1, rely on the same cipher_suits as sslv3.

So we have a problem. If you disable sslv3 as a cipher_suit, you cannot use TLS 1 or TLS 1.1 anymore. You could say, well you can still use TLS 1.2, because it doesn't rely on the sslv3 cipher_suit. But I'd answer, I do use fetchmail and you cannot force fetchmail to use TLS 1.2. :(

So since the last update I cannot use fetchmail anymore, because the solution proposed for the poodle-bug by Sophos was to turn off the sslv3 cipher_suit. And I don't like that at all. :mad:

Take a look in /var/storage/chroot-pop3/etc/pop3proxy.conf-default

before the patch/update

Code:

tls_ciphers_server=RC4:HIGH:!MD5:!aNULL:!EDH

after the patch/update

Code:

tls_ciphers_server=RC4:HIGH:!MD5:!aNULL:!EDH:!SSLv3

So here is my question. How can you configure pop3proxy so that sslv3 cipher suit is still usable but sslv3 protocol is not?

I saw this way of configuration on a lot of mail-services like dovecot and so on. So how can this be done with pop3proxy?

↧

TLS Fehler bei Zustellung

December 9, 2014, 8:50 am

≫ Next: Remotely monitoring AP50 performance

≪ Previous: POP3Proxy, Poodle-Bugfix, TLS1 and TLS1.1 and fetchmail

Hallo liebes Forum,

ein Geschäftspartner versucht vergebens uns eine E-Mail zu schicken.
Es erscheint "451 4.7.5 [internal] tls negotiation failed.

Das Problem tritt aber nur bei diesem Absender auf!?

Hat jemand eventl. das gleiche Problem?

(Das Problem besteht vermutl. seit dem Up2Date 9.210020 !??

Vielen Dank schon mal im voraus.

↧

Remotely monitoring AP50 performance

December 9, 2014, 9:32 am

≫ Next: DNS failing to resolve.

≪ Previous: TLS Fehler bei Zustellung

I'm going to have about triple the number of wireless clients (mostly iPad) on my network in 2015-16 to about 250 and am trying to learn of the most effective ways to monitor network performance. I know it's a broad topic but if anyone could point me toward relevant information I'd be grateful. I've got a Sophos UTM425 and 8 AP50's (acquiring more AP's this summer).

I've set up SNMP for queries on the UTM and I've got a couple sensors on a PRTG Network Monitor server but I will need to get up to speed on traps and MIBs. Any advice as to where to go for information would be greatly appreciated.

Thanks,

Steve

↧

DNS failing to resolve.

December 9, 2014, 10:48 am

≫ Next: SSG 330 - 9.209-8 to 9.320-2

≪ Previous: Remotely monitoring AP50 performance

Hi all,
I am running UTM 9.209-8 and am trying to use the web protection to monitor internet usage. My network is very simple (home usage).

Cable modem/router/DHCP -> UTM -> Cisco AP

The issue I am having is when I enable "web filtering" on to "Full transparent", the hosts/computer doesn't seem to be resolving the DNS. If I set to "standard mode", i have no issues surfing the web. I have tested this using the support->tools -> DNS lookup and it fails to resolve google.com on both transparent and standard mode

I have...
-both NIC's bridge
-DNS->Global -> bridged network interfaces added to the list.
-DNS Forwarders -> have tried google DNS and comcast DNS with "user forwarders assigned by ISP" checked.

I know I'm missing something small. I have googled, checked this forum and also read the Sophos KB.

Any help would be appreciated!

↧

SSG 330 - 9.209-8 to 9.320-2

December 9, 2014, 11:13 am

≫ Next: SSG 330 - 9.209-8 to 9.320-2

≪ Previous: DNS failing to resolve.

Had to revert back to 9.209-8

Even reimaging the SSG 330 from scratch with the 9.3 ISO failed.. THe nics would go off line after about 30 seconds... No matter how many times I rebooted.

Reverted back to 9.209-8 and restored configuration, we're back up and running.

Not touching 9.3 for a while...

↧

SSG 330 - 9.209-8 to 9.320-2

December 9, 2014, 11:21 am

≫ Next: Uplink Balancing mpls & public internet

≪ Previous: SSG 330 - 9.209-8 to 9.320-2

↧

Uplink Balancing mpls & public internet

December 9, 2014, 2:48 pm

≫ Next: One Time Password

≪ Previous: SSG 330 - 9.209-8 to 9.320-2

Hi guys,

Let's say there are 2 Datacenters, one in North America and one in Europe.

Both have each 1 active mpls connection and both have dual public internet connections through 2 ISPs .

Is it possible to create an active / active connection / vpn tunnel between both Datacenters including all available connections(including mpls).

At the end the goal would be to have no downtime for internal networks in case mpls breaks and no downtime for public internet access in case one isp breaks.

Thanks!

↧

One Time Password

December 10, 2014, 2:03 am

≫ Next: Zugriff auf Seite mit Port 4444 über Webfilter geblockt

≪ Previous: Uplink Balancing mpls & public internet

hi guys .
I want to know is there any software for installing on windows for OTP authentication like google authenticator app for android and ...
thank you

↧

Zugriff auf Seite mit Port 4444 über Webfilter geblockt

December 10, 2014, 3:08 am

≫ Next: Strange problem with IPSec site-to-site tunnel to Draytek Router

≪ Previous: One Time Password

Hallo zusammen,

ich habe folgendes Problem.

Ich möchte aus einem Netz hinter einer Sophos UTM auf eine Seite die über den Port 4444 veröffentlicht ist, zugreifen.
Die Seite ist verfügbar und von einem Testrechner hinter einer Fritzbox auch erreichbar.
Die UTM sagt bei Policy Test im Webfilter dass alles allowed ist.
Der Port 4444 ist unter Webfilter unter Targetports eingetragen.

Im Browser erhalte ich die Fehlermeldung: "Die Webseite ist nicht verfügbar" Fehlercode"ERR_CONNECTION_CLOSED"

Im UTM Webprotection Log steht:

2014:12:10-12:01:05 ASG-1 httpproxy[5843]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.100.100.100" dstip="*.*.*.*" user="******" ad_domain="" statuscode="500" cached="0" profile="REF_HttPro*** (***)" filteraction="REF_HttCff*** (***)" size="0" request="0x1173f0c8" url="https://***.***.***:4444/" exceptions="" error="Connection refused" authtime="14" dnstime="6" cattime="0" avscantime="0" fullreqtime="577" device="0" auth="1"

Ich verstehe nicht warum der Richtlinientest allowed ausspuckt und im Log steht "web request blocked"

Könnt Ihr mir helfen?

Gruß

↧

Strange problem with IPSec site-to-site tunnel to Draytek Router

December 10, 2014, 3:17 am

≫ Next: Slowthroghput with SSL client

≪ Previous: Zugriff auf Seite mit Port 4444 über Webfilter geblockt

Hello everybody,

I am experiencing a really strange problem with one of our remote sites.
Let start at the beginning: At our headquarters, we had - until recently - two internet connections, one regular ADSL line for local internet access, and one 2MBit SDSL line for email and VPN (both remote access for our employees and site-to-site VPN for our remote sites).
Recently, we got ourselves a shiny new 5 MBit "Business Connect" line (which apparently is just a fancy name for "SDSL"). We migrated our remote access VPN over to the new line without major problems, we migrated our email to the new line (with some weird problems, but I was able to solve them), and we migrated the VPN connections to our remote sites to the new line, no problems (or so I thought in my youthful naive optimism).

Today, I tried to turn off the old SDSL line, to see if things had really worked as planned. Turns out they mostly had, except for one remote site. That site has an ancient Draytek Vigor 2900 router (must be about ten years old) which connects to our UTM via an IPsec tunnel.
What really confuses me is that we already have changed to configuration in the Draytek router to use our new IP address as the endpoint for the IPsec tunnel. But the very moment I turned off our old SDSL line, the IPsec tunnel stopped working.

I waited for a while, with no effect, of course, I rebooted the Draytek router, which did not help either, I repeatedly told the Draytek router to re-try to set up the IPsec tunnel, without success. Then I brought up the old SDSL line again, and within seconds, the IPsec tunnel came back up.

I thought that maybe I had made a mistake configuring the Draytek to use our new public IP address for the IPsec tunnel. But as far as I could find out, I had not.
The Draytek was indeed talking to our new public IP, that part had apparently worked.
But as soon as I took the old SDSL line offline, the IPsec tunnel broke down.

When the old SDSL line is down, the Draytek does indeed continue talking to our UTM, on the public IP of our new SDSL line, but something goes wrong.
The ipsec log shows repeated error messages, like this:

2014:12:10-11:39:24 vpn pluto[5485]: "S_REF_wrcceecySD_0"[4] a.b.c.d #99: next payload type of ISAKMP Identification Payload has an unknown value: 229
2014:12:10-11:39:24 vpn pluto[5485]: "S_REF_wrcceecySD_0"[4] a.b.c.d #99: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
2014:12:10-11:39:24 vpn pluto[5485]: "S_REF_wrcceecySD_0"[4] a.b.c.d #99: sending encrypted notification PAYLOAD_MALFORMED to a.b.c.d:500

([I]a.b.c.d[I] is the Draytek router's public IP address.)

I am confused by the log remark about the "mismatch of preshared keys". We did not change the PSK, the tunnel has literally worked for years, and it continues to work the moment I bring the old SDSL line back up.

Has anybody experienced this kind of problem before? Have I missed something when configuring the Draytek to use the new IP address? What is going on here? :confused:

Thank you very much for any insights you might be able to share with me!

↧

Slowthroghput with SSL client

December 10, 2014, 3:48 am

≫ Next: Current firmware version: 9.210-20

≪ Previous: Strange problem with IPSec site-to-site tunnel to Draytek Router

Hi,

I use UTM 9.302-2 and use the SSL Remote Access Clients with great favor (OpenVPN). But throughput can never get over 3MBit/sec, I have setup SSL on the UTM on port 2443 and as UDP, but speed does not increase.

Do any of you get higher speeds?

↧

Current firmware version: 9.210-20

December 10, 2014, 4:40 am

≫ Next: 9.210020 Patch of doom

≪ Previous: Slowthroghput with SSL client

After installing the firmware version: 9.210-20 on my Sophos ASG 220 model, my Exchange 2010 server suddenly desided not to receive any e-mails from Gmail for insted.

There are som other domains as well, but some domain get throug.

I was just woundering if that lates build did anything with the smtp, receiving etc for e-mails?

↧

9.210020 Patch of doom

December 10, 2014, 4:55 am

≫ Next: Embedded videos blocked

≪ Previous: Current firmware version: 9.210-20

Currently trying to get in touch with support.

Issue: updated to 9.210020 on ASG320 and the system has become very sluggish (hardly touched the resources prior to patch).

TLS seems to be broken on the SMTP proxy. To continue to receive mail I had to add "the internet" to the SMTP proxy skip list. Anything that was coming in that requested a TLS/SSL connection would fail (gmail, banks, etc).

Also if I try to open any "live log" resources will spike through the roof and I will get a message to wait 30 seconds a few times before it starts working.

Same patch on my home box works fine.

↧

Embedded videos blocked

December 10, 2014, 6:58 am

≫ Next: Problem mit SSL-Vpn

≪ Previous: 9.210020 Patch of doom

Hi

Some time ago I switched on the https decrypting and scanning. Downloaded the certificate on all devices, works fine, except videos that are embedded on home pages. For example if some page has a YouTube video linked (e.g. http://www.joomlart.com/video-tutori...s-installation ) I can click on the video and then there is an error message.

Going to the YouTube channel from Joomlart I can watch the video. Joomlart is just an example. It is like this for all embedded videos.

There is nothing in the web protection reporting that gives me a hint.

Any idea?

Thanks

Roger

↧

Problem mit SSL-Vpn

December 10, 2014, 7:13 am

≫ Next: Guest wireless behind RED 10

≪ Previous: Embedded videos blocked

Hallo miteinander,

ich habe ein kleines Problem auf einer Sophos UTM.
Wenn ich mich per SSL-VPN verbinde habe ich vollen Zugriff auf alle Netze, die hinter der Sophos liegen (Firewall -> SSL -> Any )

Leider kann aber derjenige, der sich im "Officenetz" befindet nicht auf die Clients zugreifen, die sich im SSL-Netz befinden.
Weder Ping, noch z.B. Freigaben laufen.

Gibt es hierzu eine Einstellung die ich beachten muss?

Gruß

↧

Guest wireless behind RED 10

December 10, 2014, 8:29 am

≫ Next: Which Antivirus Does the Best Cleanup?

≪ Previous: Problem mit SSL-Vpn

Want to deploy guest wireless access behind a RED 10 with standard/split operation mode. I have a AP50 deployed and have a wireless network for corp use but need a guest network also. Not sure on how to configure for guest access on a separate network to work across the RED.

Thanks for your help.

↧