This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outbound TCP Rule

LookOut over 9 years ago

I am using Sophos Enterprise Console version 5.2.1.197 on a Windows based server.

I am having problems getting the outbound TCP rule to work without generating firewall events.

A sample firewall event would be:

Event type: No global rule

Direction: Outbound

Protocol: TCP

Remote Port: 80

Remote Address: 54.177.147.99

I have set up a global rule called Outbound TCP Rule which is a high priority rule. The settings for this rule are:

Protocol: Stateful TCP

Direction: Outbound

Remote Address: *.*.*.*

Local address: Local network

Remote Port: HTTP, HTTPS

Allow

Can someone please explain why firewall events are still being generated with this rule in place? I have tried to make the allowed connection as broad as possible in an attempt to see where the problem may be coming from, but so far no luck.

To the best of my knowledge, there are no other conflicting rules.

I apologize in advance for being generally competent with Sophos, but I am certainly no expert in this area.

Any assistance would be greatly appreciated.

Thank you!

This thread was automatically locked due to age.

0 QC over 9 years ago

Hello LookOut,
which SESC/SCF version and which Windows version on the endpoint? I've added such a rule (although one normally doesn't specify a local address) and it is triggered correctly. Do use a secondary location?
Christian
:55305
Cancel
Vote Up 0 Vote Down

Cancel
0 LookOut over 9 years ago

Christian,
Thank you for the reply.
I am using version 10.3 of SESC and version 5.2.1.197 of SEC.
This is running on Windows SBS 2011.
Any suggestions would be appreciated.
Just out of curiosity, I ran a "whois" search for the ip addresses that generated the firewall events. Every one of these addresses is owned by Amazon.com.
I'm not sure what that means, but it is definitely not a coincidence.
Terry
:55358
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 9 years ago

Hello Terry,
running on Windows SBS 2011
this isn't the endpoint, is it? SCF is not available for server grade OSs.
Thinking about it - No global rule is an odd result. Do you use application checksums? Which activity triggers these events? owned by Amazon.com - the address you've posted resolves to an amazonaws.com name, part of Amazon's cloud services, nothing unusual, used by many vendors including Sophos.
Christian
:55364
Cancel
Vote Up 0 Vote Down

Cancel
0 LookOut over 9 years ago

Christian,
All of the information I have provided is from the Sophos Enterprise Console running on the server.
The current configuration is not using Checksums.
I am not sure what activity triggers these events. I have included a screen shot of the Firewall Event Viewer. Is there another place to look to see what application is involved with these events?
Thank you very much for all your help.
Terry
:55390
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 9 years ago

Hello Terry,
it's the OS of the endpoint sending the alerts which might be relevant.
Anyway, I think the No global rule is only issued when no application is involved, i.e. the connection is made by "system" (wonder where it wants to connect to and what it could be). Still this does not explain the event assuming the rule is active. How many endpoints are generating these events? Did you check that the endpoints comply with the policy and the rule is configured (and enabled) on them?
Christian
:55397
Cancel
Vote Up 0 Vote Down

Cancel
0 LookOut over 9 years ago

Christian,
Just out of curiosity, I checked the firewall events for one particular computer and compared that to the event viewer of that same computer. For each Sophos firewall event (outbound tcp), windows created an entry in the event viewer at virtually the same time (within a few seconds of each other).
Each event was logged as Event ID 4672 (Special Logon) and the details section showed Sophos as the related program.
Is the "No global rule" event related to something that Sophos itself is doing?
Almost all of the computers on our network have logged a firewall event with the "No global rule" for outbound TCP.
I double checked to see where the endpoints were getting their updates and each computer points back to the server.
Any thoughts??
Thank you for sticking with me on this problem.
Terry
:55416
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 9 years ago

Hello Terry,
before going into the details I'd like to reassure I understand the whole picture and ask for some additional information: SCF is apparently working (if perhaps not as expected), users can browse with no events being generated (and the client log showing allowed connection with Outbound TCP Rule, or whatever its name, as reason) but you get this unexplainable No global rule? I also see at the bottom of the screenshot an event for TCP IN from a private address which seems a little bit odd. What modifications did you make to the default policy BTW? Last but not least - which Windows version is on the endpoints?
Event ID 4672 ... Sophos as the related program
4672 does AFAIK not list a program. It is usually issued when AutoUpdate checks for updates (are you updating from a UNC or a HTTP location?) and logs on the SophosSAUcomputername0 account (you should be able to correlate these events with the update times from the updating log). Which is first (i.e. earlier) - the Security or the SCF event?
Anyway - are these connection attempts eventually blocked or allowed (you'd have to check the client log on the endpoint)? The other events around this time (whether block or allow) might hint at what's actually going on.
So far I don't see an error on your side - but then, there are still some pieces missing. Do all your clients report this event (and how frequent). if not - could the few have something in common? One thing to try though - uncheck (remove) the local address from the rule, shouldn't make a difference but who knows.
Christian
:55425
Cancel
Vote Up 0 Vote Down

Cancel