Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 0 subscribers
  • Views 20171 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outbound TCP Rule

LookOut

I am using Sophos Enterprise Console version 5.2.1.197 on a Windows based server.

I am having problems getting the outbound TCP rule to work without generating firewall events.

A sample firewall event would be:

Event type:  No global rule

Direction:  Outbound

Protocol:  TCP

Remote Port:  80

Remote Address:  54.177.147.99

I have set up a global rule called Outbound TCP Rule which is a high priority rule.  The settings for this rule are:

Protocol:  Stateful TCP

Direction:  Outbound

Remote Address:  *.*.*.*

Local address:  Local network

Remote Port:  HTTP, HTTPS

Allow

Can someone please explain why firewall events are still being generated with this rule in place?  I have tried to make the allowed connection as broad as possible in an attempt to see where the problem may be coming from, but so far no luck.

To the best of my knowledge, there are no other conflicting rules.

I apologize in advance for being generally competent with Sophos, but I am certainly no expert in this area.

Any assistance would be greatly appreciated.

Thank you!

:55255


This thread was automatically locked due to age.
Parents
  • 0

    Hello Terry,

    before going into the details I'd like to reassure I understand the whole picture and ask for some additional information: SCF is apparently working (if perhaps not as expected), users can browse with no events being generated (and the client log showing allowed connection with Outbound TCP Rule, or whatever its name, as reason) but you get this unexplainable No global rule? I also see at the bottom of the screenshot an event for TCP IN from a private address which seems a little bit odd. What modifications did you make to the default policy BTW? Last but not least - which Windows version is on the endpoints?

    Event ID 4672 ... Sophos as the related program

    4672 does AFAIK not list a program. It is usually issued when AutoUpdate checks for updates (are you updating from a UNC or a HTTP location?) and logs on the SophosSAUcomputername0 account (you should be able to correlate these events with the update times from the updating log). Which is first (i.e. earlier) - the Security or the SCF event?

    Anyway - are these connection attempts eventually blocked or allowed (you'd have to check the client log on the endpoint)? The other events around this time (whether block or allow) might hint at what's actually going on.

    So far I don't see an error on your side - but then, there are still some pieces missing. Do all your clients report this event (and how frequent). if not - could the few have something in common? One thing to try though - uncheck (remove) the local address from the rule, shouldn't make a difference but who knows.

    Christian

    :55425
Reply
  • 0

    Hello Terry,

    before going into the details I'd like to reassure I understand the whole picture and ask for some additional information: SCF is apparently working (if perhaps not as expected), users can browse with no events being generated (and the client log showing allowed connection with Outbound TCP Rule, or whatever its name, as reason) but you get this unexplainable No global rule? I also see at the bottom of the screenshot an event for TCP IN from a private address which seems a little bit odd. What modifications did you make to the default policy BTW? Last but not least - which Windows version is on the endpoints?

    Event ID 4672 ... Sophos as the related program

    4672 does AFAIK not list a program. It is usually issued when AutoUpdate checks for updates (are you updating from a UNC or a HTTP location?) and logs on the SophosSAUcomputername0 account (you should be able to correlate these events with the update times from the updating log). Which is first (i.e. earlier) - the Security or the SCF event?

    Anyway - are these connection attempts eventually blocked or allowed (you'd have to check the client log on the endpoint)? The other events around this time (whether block or allow) might hint at what's actually going on.

    So far I don't see an error on your side - but then, there are still some pieces missing. Do all your clients report this event (and how frequent). if not - could the few have something in common? One thing to try though - uncheck (remove) the local address from the rule, shouldn't make a difference but who knows.

    Christian

    :55425
Children
No Data
Unfiltered HTML