Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

Some Internet Radio still blocked when AV Scanning enabled on UTM

July 13, 2015, 7:21 am
$
0
0
Hi everyone,

I have streaming radio allowed on my UTM appliance and people have no problems with things like Pandora but a few radio stations seem to not work. If I disabled Antivirus scanning in the web filtering everything works fine.

The specific radio site in question is:
77 WABC Radio

I tried adding that as an exception and that didn't resolve it. Most likely the stream is coming from some other embed. Could any experts weigh in on how to solve this? Or perhaps give me a list of URLs I need to allow for that one particular site. Thanks!
Search

Pinterest

July 13, 2015, 9:10 am
$
0
0
Has anyone found all the domains required to block Pinterest?
I've done some googeling, but have not found anything useful.

I need to filter the traffic for both their webpage and IOS application.
It has to be a manually created rule. I can't use the Social Media category.

Thanks.

Chris

Block internet for wireless device

July 13, 2015, 4:07 pm
$
0
0
Was thinking about coming back to astaro. I was wondering if i could setup astaro to block all internet access for a certain device based on a schedule.

QOS voerall bandwidth question.

July 13, 2015, 6:07 pm
$
0
0
I am working on setting up my VoIP interface for QoS. I read this post on QoS in the forum. (Preqeqs #2)

Quote:
The proper setting is the amount of bandwidth that you are paying for from your ISP, for both up and down. For example, if you are paying for 20Mb of Internet speed up and down, you would set this value to 20480 kilobits in both directions up and down.
Under Status I have 4 interfaces.
I have 50Mbit/50Mbit Internet.

Question 1:

Do I divide my 50 Mbit between each interface? (For now only the VoIP interface will use QoS) Or do I put that for each one. I am guessing each one will be 50/50 as they will "talk" to maintain a balance... or am I mistaken?

Question 2:

Under the Bandwidth Pool I have my bandwidth set to 256kbits and an upper limit of 512. What do you think of these settings? (I am using OOMA and I have read it only needs 40 each direction. I have some bandwidth to spare so I went high.)

Just a note on that post from above:

The settings must have changed over time. This is now in mbit/sec so there is no need to multiply by 1024. If you are on 50 megabit connection, just put in 50 for each field.

For a test I took my 50 * 1024 and it does not like the number. It is to big.

URGENT - Can't get DHCP started on my Astaro Firewall appliance

July 13, 2015, 6:39 pm
$
0
0
Gurus,

I'm unable to connect to my Astaro Firewall via WebAdmin and it isn't assigning IPs. I tried to restart DHCP and receive the following error.

/var/mdw/scripts/dhcpd start
no iterfaces as arguments found in file /tmp/dhcpd-interfaces
{ failed }

Any help would be greatly appreciated.

What is going on?

July 14, 2015, 2:06 am
$
0
0
Hi All,

I have one that is just beyond any explanation for me. Scenario.

Remote Users - PPTP - UTM 9.313-3 - Internal Network

Remote Users who log in via VPN are able to ping all hosts behind the router expect just one! In the firewall logs I see only default drop fw rule 6002 for this host. Nothing in ATP or IPS....

When all security disabled, UTM still drops packets to this one specific host! This happens only if I use pptp, ie. Ipsec traffic to this host is not blocked.

Yes, the host has got correct gateway!

Obviously I did check all the rules and I am not able to trace anything. Any ideas please?

Thanks

Windows Update Error 80072f8f

July 14, 2015, 4:07 am
$
0
0
Hi,

we are using Sophos Web Aplliance v4.0.2.3 and couldn't use Windows Update. It allways fails with error code 80027f8f. I installed the root ca from the appliance to the computer account root ca and also treid to disable https scanning and certifcate validation. But nothing helps.
Does anyone have a hint for us?
Thanks

Local DNS Behaviour

July 14, 2015, 4:54 am
$
0
0
So I've run into a problem using local DNS resolution with Sophos UTM 9.313.

The network is 1 internal subset ( 192.168.55.0/24 ) and has four external IP addresses. The web server is located at 192.168.55.25. In order to support applications that require websockets, I have used one of the four external IP addresses as a passthrough ( we'll call it xx.xx.xx.xx on port 80 / 443 are routed / NAT / firewalled directly to 192.168.55.25 ) and another external IP ( say yy.yy.yy.yy ) is setup with WAF applications.

Here's the issue: When using local DNS entries, Sophos appears to assign wildcard matching status even when no wildcard is specified. Thus, the setup is seen as:

computer.name.local
Reverse DNS -> Checked
Additional Host names:
domain.name
www(dot)domain.name
sub1.domain.name
sub2.domain.name
sub3.domain.name

All of these domains are hosted on the external IP that points directly to the webserver ( xx.xx.xx.xx ), so in order for them to work internally ( due to the routing issues mentioned elsewhere on these boards ) internal DNS must be configured ( preferred ) or a full NAT setup to allow proper redirection.

The domains all work fine, until you try to access the WAF on the alternate external IP address ( yy.yy.yy.yy ). Then things go bad. For example, I type in sub4.domain.name which is hosted on yy.yy.yy.yy instead of xx.xx.xx.xx, and my browser tells me it cannot resolve the domain. Okay, odd, start troubleshooting. The problem goes away as soon as I remove the non-sub address.

In other words, the host entry now looks like:

computer.name.local
Reverse DNS -> Checked
Additional Host names:
www(dot)domain.name
sub1.domain.name
sub2.domain.name
sub3.domain.name

Now, both xx.xx.xx.xx and yy.yy.yy.yy hosted domains work, but on the internal network I can no longer resolve domain.name. The easiest solution would be to setup domain.name and www(dot)domain.name on the WAF so that both resolve, but the WAF still does not support websockets in 2015 without modifications that do not persist across reboots of the Sophos UTM ( see here regarding feature requests about websockets ). Another solution would of course be to setup an actual dedicated internal DNS server, but that seems pretty heavy handed for what I require ( only a few addresses ).




I guess my question then is, is this the expected behaviour? Is not including a a subdomain in the DNS resolution of Host objects on a Sophos UTM supposed to be the same as specifying a wildcard address?
Search

Remote Syslog stops working

July 14, 2015, 5:39 am
$
0
0
I have remote syslog working fine, but if the rsyslog destination host gets rebooted, or is unavailable for any time, then the remote syslog'ing stops working.

I have to go back into UTM and turn Remote Syslog off/on again before it will recommence working.

Anyone else seen this behaviour? :confused:

Backup Server Isolation

July 14, 2015, 6:09 am
$
0
0
I have a backup server that our other servers need to access via ftp for nightly backups, I also want to RDC into the server as needed, perferably only allowing one of our main servers RDC capabilties.
I was wondering what the best practice would be for this?

1. Should I connect our backup server to an unused interface and only open port 23 and the RDC ports on that interface?
2. Can I just create a rule to allow the ports I want in the firewall , then below that rule block all traffic to the ip of the backup server?

I currently have the backup server on it's own subnet outside the subnet mask of other computers on our network and have a 2nd interface on one of our servers with an ip inside the subnet of the backup server to access it, but on the current configuration our other servers aren't able to backup to it.

Any suggestions?

Filterrule does not update if a containing network group has changed

July 14, 2015, 6:38 am
$
0
0
Hi,

don't know whats going on. I've some filter rules which allow external access to our interner server via Server Load Balancing (kind of DNAT). NAT works fine but we don't use Automatic filter rules because we only want to allow certain external IP's or Ranges to access it.

So we have rules like this

WebApp-Whitelisted-IPs -> HTTPS -> Internal Server (whereas Internal Server is really the internal IP, since NAT made the rest)

"WebApp-Whitelisted-IPs" contains several network definitions like DNS Groups, Hosts and Network Ranges. When i enable that FW Rule, everything works.

BUT: When i add/remove a definition from that ->network group<- "WebApp-Whitelisted-IPs", the filter rule is not being updated which means that when i add another external IP which should be allowed to access the internal server, the access is not granted. I manually have to disable and reenable that whole filter rule for the network group changes to take effect. The same for removing definitions from that group.

I can reproduce that problem any time. When i dont use a network group but add all those definitions on their own to the FW rule and then add/remove definitions from the rule, it works without dis/enabling it.

Seems like a bug to me!?

Verify SSL VPN user profile

July 14, 2015, 6:47 am
$
0
0
Situation:

We have different SSL VPN profiles. One for our regular users, one for our system administrators. The system administrator profile has obviously more permissions than the regular users. However, system admins are not be able to connect to the management vlan for example. When I take a look into the firewall logs the packets are dropped by the default drop so no rule matches. Of course I have automatic firewall rules checked at the profiles.

Is there a way to verify that the user is connected to the right VPN profile? From this point this is most likely the error code.

Camera Available to WAN

July 14, 2015, 8:16 am
$
0
0
Hello, I have a Sophos UTM 320 and I am trying to open a http stream from a PTZ camera.

Ideally it would be available to control from my LAN, and only viewable from the internet. However, it would also work if it is only available from the internet. I could then log in to control the camera from the web and anyone needing to see the video stream could use a guest or predefined username/password.

I have an available static IP address from our ISP.

I don't know how to route the internet sourced traffic to the destination of the camera and return the stream to the internet.

Also, the camera streams over HTTP, our VLC stream looks like this:
http://guest:guest@192.168.1.101:88/...MJPEG&channel=[1]

tagged & untagged vlan on same interface

July 14, 2015, 8:37 am
$
0
0
Hello,
quick question:
¿Does UTM support tagged&untagged on same interface?
I ask this because if to a certain ETH interface(let's say ETH0) i add a VLAN interface (with tag 2 for example) the standard eth interface(untagged) doesn't change at all.

If i infer correctly then traffic through eth0 will be untagged and traffic that through the VLAN interface will leave eth0 with vlan tag 2

¿Is this working like that?.(i hope so)

Telekom Speedlink 5501 feste IP

July 14, 2015, 9:01 am
$
0
0
Ich bekomme demnächst im Rahmen einer IP Umstellung ein im Subject genanntes Modem/Router. Für das Voip soll das auch genutzt werden, für die mitbestellte feste IP würde ich am liebsten eine UTM nutzen, am liebsten sollte die UTM auch die Internetverbindung amchen, aber hier beisst sich die Katze, da entweder die UTM oder der Router die Verbindung macht, wenn ich das richtig recherchiert habe.

Wie kriege ich das also hin das man sich von aussen über den Router in die UTM per VPN einwählen kann?

Hat das schonmal jemand mit diesem Setup hinbekommen?

Gibt es alternativ die Möglichkeit das man sich ein Modem organisiert, die UTM die IP Verbindung herstellt und der Speedlink dann am Lanport der UTM angeschlossen wird und so dann VOIP macht?
Hier sehe ich die Schwierigkeit das sicherlich eine direkte Wanverbindung ohne Masquerading bzw NAT da sein muss für das Voip zur DTAG?
Search

Weak Diffie-Hellman (DH) key exchange parameters?

July 14, 2015, 9:25 am
$
0
0
Hi
I tested my domain SSL setup at https://www.ssllabs.com

I got points deducted for
"This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B."

Is there a way to disable support for this?

VLAN an einer Sophos UTM 9.3 auf ESXI

July 14, 2015, 9:43 am
$
0
0
Hallo,

ich würde gern die WLAN-Clients zu den festen PC-Clients in ein anderes eigenes VLAN legen wollen als die APs. Dazu wähle ich die Option “in VLAN bridgen” und geben die VLAN-ID an. Dazu ist auf der Sophos auf einem Interface eine VLAN angelegt. Dieses Interface ist auch auf dem vswitch (ESXI) angelegt - dort ohne Tag.

Allerdings findet der Client keinen DHCP-Server, der aber in diesem VLAN
auf der Sophos erreichbar ist. Die NICs sind auf dem ESXI mit den VLAN-IDs angelegt und werden an die Sophos durchgereicht. Eine VLAN-Einrichtung erst auf der Sophos habe ich bisher nicht hinbekommen.

Wie stelle ich das an, damit das VLAN-Tag von der Sophos über den ESXI an den Switch weitergegeben wird?

(Habe mal kurz mit einem alten PC spielen können - da geht das. Hat vermutlich also was mit der Virtualisierung der Sophos zu tun.)

Gruß
Andreas.


UPDATE:
Zumindest die wired-LANs gehen nun. Auf dem ESXI muss ein Trunk-Port mit VLAN-ID 4095 angelegt werden. Auf diesem kann ma dann in der Sophos mehrere Ethernet-VLANs angelegt werden. Die kabelgebundenen Geräte bekommen entsprechend der PVID am Switche die richtigen Adressen per DHCP aus dem entsprechenden VLAN von der Sophos.

Nur die WLAN-Clients leider nicht. Was mache ich falsch?

max speed of the utm 110/120

July 14, 2015, 11:21 pm
$
0
0
Hello all,

from my work i received an utm 120 , that i can use at home, which works ok, however,

i had a bandwith upgrade to 1000 mb/s ( i love fiber :) )
so the testing began, and even tweeking the utm , i don't seem to get moor speed than around 60 MB/s internal, and 40 - 50 MB/s over wan.

( also tested with a wget to /dev/null )

this is when everything is turned off, no ips, no proxy, no advanced features.
I only have the webserver protection running,

the only change i made to the utm is i changed the business licence to a home licence

i would expect to get more, or can someone here confirm that this edevice isn't capable of more speed?

With kind regards,

Peter

WLAN-Client in anderes VLAN als APs (in VLAN bridgen)

July 14, 2015, 11:30 pm
$
0
0
Hallo,

ich möchte die APs im VLAN 10 haben, die WLAN-Clients im VLAN 20, weil dort auch meine anderen PC-Clients vorhanden sind. Die PC-Clients bekommen im VLAN 20 ihrer IPs vom DHCP des VLAN 20 der Sophos. Das geht.

Nun habe ich bei den APs das VLAN-Tagging aktiviert und die ID 10 eingetragen. Weiterhin das WLAN hinzugefügt, wo "in VLAN bridgen" nach ID 20 aktiviert ist. Am Switch ist der Port für den AP für das VLAN 10 getagged. Auch habe ich mal den AP an einen ungetaggten Port gehängt, die den AP ins interne LAN der Sophos weitergibt, damit der sich eine Konfig ziehen kann.

Aus der Hilfe:

Quote:
Hinweis – Gehen Sie wie folgt vor, um VLAN mit den Access Points in Ihrem Netzwerk zu nutzen: Verbinden Sie den AP für mindestens eine Minute über das Standard-LAN mit der UTM. Das ist notwendig, damit sich der AP seine Konfiguration abholen kann. Würde der AP gleich über VLAN verbunden, wüsste er nicht, dass er sich in einem VLAN befindet, und könnte sich deshalb nicht mit der UTM verbinden, um seine Konfiguration zu erhalten. Wenn der AP angezeigt wird, aktivieren Sie VLAN-Taggen und geben Sie die VLAN-ID ein. Verbinden Sie den AP dann mit dem vorgesehenen VLAN, zum Beispiel einem Switch.
Nach ca. 5 Minuten wieder abgezogen und die an den Tagged-Port. Die IP-adresse des AP kommt korrekt ausd VLAN 10.

Das WLAN wird vom Smartphone auch gesehen, nur das Abrufen einer IP scheitert. Da die PCs im VLAN 20 eine IP bekommen, scheidet der DHCP-Server auf der Sophos als Fehlerursache aus.

Aber was muss ich anders machen?

Gruß
Andreas.

ESPN Ad's blocked as P0rn

July 14, 2015, 11:46 pm
$
0
0
Code:
2015:07:14-23:27:52 larrnet httpproxy[26190]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="192.168.0.109" dstip="" user="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3633" request="0x12e2f000" url="http://m1.fwmrm.net/m/1/87146/95/1814367/4187369/SEA_ad_150610_SPEEDSTICK_JAHLILOKAFOR_15/SEA_ad_150610_SPEEDSTICK_JAHLILOKAFOR_15_layer7_48000/SEA_ad_150610_SPEEDSTICK_JAHLILOKAFOR_15_layer7_48000_0.ts" referer="" error="" authtime="0" dnstime="0" cattime="614" avscantime="0" fullreqtime="2002" device="0" auth="0" ua="AppleCoreMedia/1.0.0.12H143 (iPad; U; CPU OS 8_4 like Mac OS X; en_us)" exceptions="" country="United States" reason="category" category="149" reputation="neutral" categoryname="****ography"
Watching ESPN on an iPad.
The pre-load of the commercial is blocked due to catagory, P0rn****...
If you pull down the .ts file it's a commercial.

Is there somewhere to report the mis-categorization, or is it the domain in general that could be serving up blocked content?

Anybody else seeing this?

Thanks in advance.
Viewing all 14361 articles
Browse latest View live
Search