Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

DMZ getting to LAN

July 10, 2015, 3:51 pm
$
0
0
OK so this is new setup/play

I have a few rules, basic ANY at the moment but will lockdown later.
i'm sure this is not the issue here.

So my Rules are:
1: LAN -> ANY -> InternetIP4 (ALLOW)
2: LAN -> SSH,RDP,HTTP -> DMZ (ALLOW)
3: DMZ -> HTTP -> InternetIP4 (DENY) - So DMZ can't get to router GUI
4: DMZ -> ANY -> InternetIP4 (ALLOW)

items from DMZ to LAN IPs like SSH,RDP,TELNET, PING, do not get to LAN

HTTP (not tested HTTPS) can get to LAN. i'm guessing the sophos is dealing with the traffic in another way. Even adding the following doesn't stop HTTP

between 2: & 3:
DMZ -> HTTP -> LAN (DENY) - HTTP still works.


Please advise ! :(
Search

Slow Webadmin after upgrade from 9.212 to 9.312

July 10, 2015, 6:46 pm
$
0
0
After I updated our HA setup from 9.212 to 9.312, I've noticed that the Webadmin gets pretty laggy once our CPU gets to around 20%, which happens during normal work hours (usually fluctuates between 15-30%). Actual internet traffic doesn't seem to be affected yet, just the webadmin console. It's making it difficult to make changes though, as it can sometime sit there for quite a while before the page finally comes up. I could understand if it was happening if the CPU was getting close to max, but only at 20%?

I'm not overly concerned yet as long as the users don't notice, has anyone else had any issues with a similar setup? Thanks!

WebAdmin and other stuff fails periodicaly

July 10, 2015, 8:42 pm
$
0
0
Every 3-4 days my UTM basically stops functioning. The WebAdmin becomes unresponsive and even if I use the VM console to restart services I can't get it back without a reboot. The logs indicate a number of things breaking down.

kernel shows this a few times then just starts repeating the martian bit. Name resolution breaks at the same time.
Code:
2015:07:07-23:00:45 Sophos kernel: [42993.718695] hv_storvsc vmbus_0_1: cmd 0x2a scsi status 0x2 srb status 0x82
2015:07:07-23:00:45 Sophos kernel: [42993.718704] hv_storvsc vmbus_0_1: stor pkt ffff8800664bc700 autosense data valid - len 18
2015:07:07-23:00:45 Sophos kernel: [42993.718708] storvsc: Sense Key : 0x6 [current]
2015:07:07-23:00:45 Sophos kernel: [42993.718713] storvsc: ASC=0x3f ASCQ=0x2
2015:07:07-23:00:45 Sophos kernel: [42993.718725] sd 2:0:0:0: Warning! Received an indication that the operating parameters on this target have changed. The Linux SCSI layer does not automatically adjust these parameters.
2015:07:07-23:01:28 Sophos kernel: [43038.993629] IPv4: martian source 192.168.0.1 from 192.168.0.11, on dev eth0
2015:07:07-23:01:28 Sophos kernel: [43038.993635] ll header: 00000000: ff ff ff ff ff ff 00 15 5d 00 03 05 08 06        ........].....
This appears to be the earliest event logged indicating some kind of failure.. from the fallback log.
Code:
2015:07:07-23:31:11 Sophos [daemon:info] nwd[1607]:  No interfaces or routes to monitor exiting
2015:07:07-23:31:11 Sophos [daemon:info] nwd[1607]:  Unable to delete the interface state file
2015:07:07-23:31:29 Sophos [user:notice]        This  probably means the server terminated abnormally
2015:07:07-23:31:29 Sophos [user:notice]        before  or while processing the request.
2015:07:07-23:31:30 Sophos [user:notice]        Is  the server running locally and accepting
2015:07:07-23:31:30 Sophos [user:notice]        connections  on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
I'm not really sure what I'm looking at. Seems like one or both of my interfaces are just failing. Both are configured as ethernet, MS/Citrix in Sophos on the VM and are physically tied to their own dedicated interfaces (Broadcom NetXtreme).

Traceroute IPv6

July 11, 2015, 12:10 am
$
0
0
Hallo zusammen,
ich habe ein Problem mit der Sophos UTM und IPv6:

Aufbau:
2 Standorte mit IPv4 und IPv6 konfiguriert, 2x IP6 über HE Tunnelbroker, 2x Sophos UTM 9.313-3
Standort 1: 2001:470:734a::/48
Standort 2: 2001:470:529b::/48

Alle eingerichteten Netzwerke haben Dual Stack, es sind /64 Netze
Die Netzwerke beider Standorte sind verbunden über Site to Site, jeweils IPv4 und IPv6

Traceroute IP4 läuft immer sauber, IPv6 allerdings nicht

Von einem PC Standort 1 zu einem Server Standort 2:
Routenverfolgung zu s-wsus.Neise.de [2001:470:529b:1050::23]
über maximal 30 Hops:

1 <1 ms <1 ms <1 ms 2001:470:734a:2040::1
2 * * * Zeitüberschreitung der Anforderung.
3 26 ms 23 ms 24 ms s-wsus.neise.de [2001:470:529b:1050::23]

Ist ok, alle Dienste gehen über IPv4 und 6 (RDP/SMB)

Von der UTM Standort 1 aus (Support -> Tools Traceroute)
traceroute to 2001:470:529b:1050::23 (2001:470:529b:1050::23), 30 hops max, 40 byte packets using UDP
1 GunnarNeise-1.tunnel.tserv6.fra1.ipv6.he.net (2001:470:1f0a:8f4::1) 17.245 ms 20.993 ms 20.185 ms
2 v399.core1.fra1.he.net (2001:470:0:69::1) 45.866 ms 44.742 ms 43.509 ms
3 10ge2-1.core1.muc1.he.net (2001:470:0:2f8::2) 29.358 ms 30.533 ms 29.295 ms
4 10ge1-3.core1.ber1.he.net (2001:470:0:310::2) 40.203 ms 38.934 ms 37.844 ms
5 tserv1.ber1.he.net (2001:470:0:220::2) 44.513 ms 41.798 ms 35.355 ms
6 * * *
Klappt nicht!

Der Traceroute aus der UTM Standort 1 IPv4 ist einwandfrei

Das ist die Route in der UTM Standort 1 zu dem IPv6 Netz Standort 2:
2001:470:529b:1050::/64 dev eth1 table ipsec proto ipsec src 2001:470:734a:1040::1 metric 1024

Problem ist, das alle Dienste die über den Webproxy der UTM 1 laufen und auf einen Server Standort 2 zugreifen nicht funktionieren.

Werden noch weitere Logs oder Daten benötigt?

VG Gunnar

SSL VPN with RDP connection

July 11, 2015, 1:19 am
$
0
0
I have setup a sophos utm 9 with Firmware version: 9.313-3
I setup a SSL service and try connect it with sohpos vpn client 2.1 and openvpn 2.3.7 64 bit.
It's running perfectly: SMB, ping, web browsing running very smooth.
However, every time I try to establish a RDP connection. the VPN connection will suspend until the RDP client give up.

First JPG showing that the vpn established, 192.168.0.1 is my sophos utm and 192.168.0.4 is my 08r2

Second JPG showing that the ping lost after I try to connection my 08r2

Third JPG showing that after the RDP client give up, the ping packet return normally.

IPS was stopped and nothing special in firewall log and vpn log, and nothing special in 08 server event log.

Thanks

Attached Images
File Type: jpg 1.jpg (83.5 KB)
File Type: jpg 2.jpg (76.2 KB)
File Type: jpg 3.jpg (76.7 KB)

Publishing Synology DSM 5.2?

July 11, 2015, 1:26 am
$
0
0
Hello,

I'm trying to publish my filer for Synology DSM 5.2 and am getting some problems.

I created a real webserver with my internal fqdn of the nas, encrypted and using the port of the https internal connection (8001).

Then I created a clone of my exchange firewall profile, and changed the auto-discover, owa, etc and added /webman and /WEBMAN in the url hardening options.

Then I created a virtual web server listening on port 443 and using my wildcard certificate, type encrypted (https) & redirect, rewrite html, rewrite cookies, pass host header.

Now, when trying to reach my nas from internet, I'm rejected with following message:

Request blocked

The web application firewall has blocked access to / for the following reason:
URI prefix does not match

Does anybody have some hints on how to properly publish my nas to the net?

Thanks in advance,
Félix

Unused definition

July 11, 2015, 2:00 am
$
0
0
Hi.
I'm quite sure someone already asked it, but I just can't find it.
Has anyone found a way to show all the unused Definitions in "Network Definitions"?
As years goes by, we collect a lot of definitions (I have 340).
For sure quit a few are not in use any more and can be deleted.

Thanks…
:o

Mailing NAT

July 11, 2015, 3:51 am
$
0
0
Hello,

I have mail server in my lan and a dedicated Internet connection connected to Sophos UTM SG-450. I want to do static natting ( from MAIL-SERVER --> WAN AND from WAN--> MAIL-SERVER). which Natting option do i need to select.

Regards,
Search

Unable to solve "HINT: Please REINDEX it" problem

July 11, 2015, 5:15 am
$
0
0
Hello,

I have gathered important logs I cannot afford to loose. However, I cannot read them in Sophos UTM either.
In WebGUI logs: Bandwidth Usage, Firewall, Advanced Threat Protection, IPS error:
Can't use string ("0") as a HASH ref while "strict refs" in use at /wfe/asg/modules/reporting.pm line 501.

Found discussions about log corruption like:
https://www.astaro.org/gateway-produ...rts-empty.html
Got results:

Code:
psql -Ureporting -c"reindex database reporting;" reporting
psql: FATAL:  index "pg_attribute_relid_attnum_index" contains unexpected zero page at block 0
HINT:  Please REINDEX it.
A:/root # psql -Ureporting -c"vacuum;" reporting
psql: FATAL:  index "pg_attribute_relid_attnum_index" contains unexpected zero page at block 0
HINT:  Please REINDEX it.
A:/root # psql -U reporting -c "REINDEX DATABASE reporting"
psql: FATAL:  index "pg_attribute_relid_attnum_index" contains unexpected zero page at block 0
HINT:  Please REINDEX it.
A:/root # psql -U reporting -c "REINDEX DATABASE reporting"
psql: FATAL:  index "pg_attribute_relid_attnum_index" contains unexpected zero page at block 0
HINT:  Please REINDEX it.
A:/root # psql -U reporting -c "REINDEX INDEX pg_attribute_relid_attnum_index"
psql: FATAL:  index "pg_attribute_relid_attnum_index" contains unexpected zero page at block 0
HINT:  Please REINDEX it.
After some Googling I've also tried:
Code:
reindexdb -U reporting -d reporting -i pg_attribute_relid_attnum_index
reindexdb: could not connect to database reporting: FATAL:  index "pg_attribute_relid_attnum_index" contains unexpected zero page at block 0
HINT:  Please REINDEX it.
Should I go into passing "ignore_system_indexes=true" and then trying to reindex? If so, what is the best way to do it?

Please, any advice would be very helpful.

Bit of advice about NAT

July 11, 2015, 8:27 am
$
0
0
Hi,

We have an internal Acronis Access server that users access on both desktop and mobile devices.

Mobile users access files via a "Gateway server" on port 443, desktop users access files via an "Access server" on port 3000

We have given the gateway server a public IP "215.142.x.x", the access server is on an internal IP, we have created a DNAT rule that points external users to the internal IP of the server, everything works fine apart from mobile users attempting to access files whilst on our internal WLAN, they receive a message saying "Error obtaining server info for server 215.142.x.x", internal desktop users are able to access the system fine.

My question is should we have created a full NAT rule, and if so do how do we point to all internal LAN networks in a similar way we use wildcard masks?, our internal WLANs are across multiple areas of our premises and network addresses range from 192.168.2.0/24 - 192.168.239.0/24.

Thank you all in advance

Odd FTP behavior

July 11, 2015, 2:40 pm
$
0
0
I am running SecurityOnion and noticed that my laptop made an FTP call out to an IP that is unauthorized. I recently changed how my FTP works. This IP appears to have been an Astaro site. But I see a revernse DNS of amazonaws.com (See attachments)

***.***.***.***:9766 ---> 79.125.108.166:21

1. Do I need to allow for this FTP site for some UTM reason?
2. Why is my laptop making this call and not the UTM?

I am not infected. Running for days without touching the laptop revealed no signs of infection or unexpected calls to the Internet. Good AV runs daily and I use multiple layers of defense including Sandboxie and EMET 5.1 (maxed out). I also use Secunia PSI to keep me patched. :D

Thank you,

C68

Attached Images
File Type: png ftp.png (46.8 KB)
File Type: png ftp2.png (51.9 KB)

Remote access SSL does not work (resets connection)

July 11, 2015, 2:50 pm
$
0
0
Hi

I'm trying to setup SSL remote access using RADIUS as the back end server. I have set it up using the guide below. The problem is it tries to connect and connection resets every time. The details are provided below please help

https://www.sophos.com/en-us/mediali...a_SSL_geng.pdf

On a side note- After fiddling around with it for long I managed to get it working on one machine but it does not work anywhere else. I think one of the things I did was to export the certificate and installed it on the client machine probably that helped but the same thing does not work on other client pc's. I've tried with all the certs in the drop down. I also have a public certificate from Lucky register in case we need it.

Thanks
Vimal


Firmware version: 9.313-3
Pattern version: 83879


Client Logs

Sat Jul 11 22:33:35 2015 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Sat Jul 11 22:33:35 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jul 11 22:33:35 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Jul 11 22:33:35 2015 MANAGEMENT: >STATE:1436650415,RESOLVE,,,
Sat Jul 11 22:33:35 2015 Attempting to establish TCP connection with [AF_INET]81.***.***.***:443 [nonblock]
Sat Jul 11 22:33:35 2015 MANAGEMENT: >STATE:1436650415,TCP_CONNECT,,,
Sat Jul 11 22:33:36 2015 TCP connection established with [AF_INET]81.***.***.***:443
Sat Jul 11 22:33:36 2015 TCPv4_CLIENT link local: [undef]
Sat Jul 11 22:33:36 2015 TCPv4_CLIENT link remote: [AF_INET]81.***.***.***:443
Sat Jul 11 22:33:36 2015 MANAGEMENT: >STATE:1436650416,WAIT,,,
Sat Jul 11 22:33:36 2015 Connection reset, restarting [0]
Sat Jul 11 22:33:36 2015 SIGUSR1[soft,connection-reset] received, process restarting
Sat Jul 11 22:33:36 2015 MANAGEMENT: >STATE:1436650416,RECONNECTING,connection-reset,,
Sat Jul 11 22:33:36 2015 Restart pause, 5 second(s)

UTM Live Logs
2015:07:11-12:54:56 utm openvpn[24889]: vimal,10.242.2.4
2015:07:11-12:54:56 utm openvpn[24889]: REF_AaaUse1,10.242.2.8
2015:07:11-12:54:56 utm openvpn[24889]: sdm,10.242.2.12
2015:07:11-12:54:56 utm openvpn[24889]: MULTI: TCP INIT maxclients=1024 maxevents=1028
2015:07:11-12:54:56 utm openvpn[24889]: Initialization Sequence Completed
2015:07:11-13:39:40 utm openvpn[24889]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
2015:07:11-13:39:40 utm openvpn[24889]: MANAGEMENT: CMD 'status -1'
2015:07:11-13:39:50 utm openvpn[24889]: MANAGEMENT: Client disconnected
2015:07:11-22:35:40 utm openvpn[24889]: MANAGEMENT: Client connected from /var/run/openvpn_mgmt
2015:07:11-22:35:40 utm openvpn[24889]: MANAGEMENT: CMD 'verb 6'
2015:07:11-22:35:50 utm openvpn[24889]: MANAGEMENT: Client disconnected

The above Live log is shown only once (does not repeat)
Settings
Compress SSL VPN traffic: unchecked.
Allow multiple concurrent connections per user: Unchecked
Encryption algorithm: AES-128-CBC
Authentication algorithm: SHA1
Key Size: 2048 bit
Server certificate:Radius Users (X509 user cert)
Key Lifetime: 28800

Sophos 9.313-3 Slow Web Interface

July 11, 2015, 7:29 pm
$
0
0
Running: Sophos UTM 9.313-3
Issue: The Sophos web interface is very slow and sometimes unresponsive. Browsing the Internet, however, has no speed issues.

Things I've tried:
upgrading firmware
re-installing Sophos

Hardware:
Supermicro X10SBA w/ embedded J1900 CPU
8GB DDR3
16 GB USB 3.0 Flash Drive

Hardware logs show utilization from 20-50%, is this a problem with Sophos? If so what are some steps to try?

Publishing Synology DSM 5.2?

July 11, 2015, 1:26 am
$
0
0
Hello,

I'm trying to publish my filer for Synology DSM 5.2 and am getting some problems.

I created a real webserver with my internal fqdn of the nas, encrypted and using the port of the https internal connection (8001).

Then I created a clone of my exchange firewall profile, and changed the auto-discover, owa, etc and added /webman and /WEBMAN in the url hardening options.

Then I created a virtual web server listening on port 443 and using my wildcard certificate, type encrypted (https) & redirect, rewrite html, rewrite cookies, pass host header.

Now, when trying to reach my nas from internet, I'm rejected with following message:

Request blocked

The web application firewall has blocked access to / for the following reason:
URI prefix does not match

Does anybody have some hints on how to properly publish my nas to the net?

Thanks in advance,
Félix

Zugriff per SSL VPN auf Freigabe hinter RED 10

July 12, 2015, 12:15 pm
$
0
0
Hallo in die Runde!

Habe mal eine Frage.

Folgendes Konstrukt: ASG 220 steht am Hauptstandort, RED 10 ist als Standard/Split an einem Außenstandort konfiguriert. An dieser hängt ein 2012R2 - Server mit einigen Freigaben, die als Netzlaufwerk eingebunden werden sollen. Vom Hauptstandort aus funktioniert dies einwandfrei, für die SSL-VPN-User, die sich mit der ASG am Hauptstandort verbinden, jedoch nicht.

Was genau muss hierfür getan werden? Ich habe es bereits mit Firewall-Regeln versucht, die die Kommunikation zwischen den VPN-Benutzern mit dem Server hinter dem RED erlauben. Leider war das nicht die Lösung.

Gruß
Sebastian


EDIT: Zu früh angefragt, sorry. Hatte vergessen unter RED Management --> Server Client Management in dem entsprechenden RED das VPN User Network als Split Network einzutragen.
Search

Problem connecting to SSL RA VPN for 1 user

July 12, 2015, 11:17 pm
$
0
0
Hello, one of our users connects succesfull to the VPN but then doesn't get any bytes transferred and can not reach anything.

This is the part of the log file where I think the problem is visible. What can be the cause of this?

Code:
Fri Jul 10 15:18:02 2015 NOTE: FlushIpNetTable failed on interface [45] {DB0B29C3-C92D-4FF5-971A-5E4E8011C664} (status=5) : Access is denied. 
Fri Jul 10 15:18:06 2015 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=1 u/d=up
Fri Jul 10 15:18:06 2015 C:\Windows\system32\route.exe ADD 83.*.*.108 MASK 255.255.255.255 192.168.0.254
Fri Jul 10 15:18:06 2015 Warning: route gateway is ambiguous: 192.168.0.254 (2 matches)

virtual UTM swapping interface unecpectedly

July 13, 2015, 12:04 am
$
0
0
Hi,

I am running a Sophos 9.3 virtualized UTM on VMWare vSphere 5.1
Yesterday during normal operation without any configuration changes or updates taking place, the UTM suddenly swapped its interfaces, meaning, that the UTM's internal interface was suddenly connected to the external virtual switch and the other way round, which of course caused havoc with our network's communication.
I did not find any hints in the UTM's or vSphere's event logs to determine to cause of this erratic behaviour.
Hay anyone experienced such an issue and could tell how to prevent it in the future ?

Thank you very much in advance.

Regards
Tobias

HA Cluster Problems via lag1 - anyone else?

July 13, 2015, 1:38 am
$
0
0
While stretching my active/passive cluster over two L2-connected sites, the complete cluster crashes. One of the nodes says that both nodes are SLAVE, the other one claims it were active and the second node was DEAD. Resetting to factory defaults and setting up the cluster again with a direct CAT6 cable brings up the cluster again.

Hardware: 2xUTM625 (2Expansion Modules: +1Gb Fibre, +10Gb Fibre)
Software: 9.212-3
License: Full

lag0: 2x10GE Core Uplink to Cisco 4500-X VSS Cluster (trunk, all production vlans, works fine, stable) -> eth18+eth19
lag1: dedicated VLAN on Cisco 4500-X VSS Cluster (access mode, private VLAN, lacp mode active) -> eth10+eth11

I also have a premium support account, but the last time i waited some weeks for a response.

Does anyone in this board have a running cluster with sync over lag1?

Note: It makes no difference if i link the 2 nodes via the switches or directly. lag1 comes up, colored in green, but the cluster crashes.

Thanks a lot!

Blocking the orbit downloader

July 13, 2015, 1:48 am
$
0
0
We have a sophos sg450 on our institution. How can we block the orbit downloader because it's not in the application control? It consumes most of our bandwidth.

SUM 4: Service wird als gestört erkannt obwohl er OK ist

July 13, 2015, 5:56 am
$
0
0
Guten Tag,

wir haben einige Sophos UTM110 in unserem Sophos UTM Manager aufgenommen. Navigieren wir zum Dashboard und wählen die Ansicht "Services" aus, sehen werden einige Gateways deren "Dienste" angeblich gestört sind.
Bei einer Firewall wird der Dient DHCP als fehlerhaft gemeldet. Dieser funktioniert aber einwandfrei. Schalten wir diesen DHCP aus, geht dieser Dienst im SUM wieder auf grün. (Verwirrend..)

Bei zwei anderen Firewalls wird die Webprotection als fehlerhaft gemeldet. Das stimmt teilweise. Die Webprotection wurde in dem Installationszeitraum(Full Guard) aktiviert. Beim Einspielen der eigentlichen Lizenz(Ohne Webprotection) blieb dieser Dienst im Hintergrund aktiv kann aber durch fehlen der Lizenz auch nicht auf AUS geschalten werden.

Wie bekommen wir die nicht vohandenen Fehler an den SUM weitergereicht?

Vielen Dank !

Alle Komponenten wurden bereits neugestatet und haben die aktuellen Softwarestände.

Gruß
Viewing all 14361 articles
Browse latest View live
Search