This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM blocks Sophos Web Intelligence for Endpoint Protection. What to do?

Examining the firewall logs, I see that endpoint protection uses swi_service.exe which is attempting to communicate on port 80 to access some European AWS addresses. The UTM blocks the traffic by default. This seems like strange behavior. I would have expected the device to allow this traffic if Endpoint Protection is enabled.

I'd add that it seems odd that in 2017 an unencrypted connection is used for security applications. Why not https?

What's the best approach to dealing with this traffic?

I can add ip addresses to specific firewall rules, but this seems like a hack that will break the next time someone at Sophos changes an ip address.

Thoughts?

This thread was automatically locked due to age.

0 BAlfson over 8 years ago

Doug, please show a representative line from the full Firewall log file.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA

0 dougga over 7 years ago in reply to BAlfson

Sorry for the delay and thank for taking a peek.

2017:11:08-18:58:01 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59833" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:03 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59834" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:06 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59834" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:08 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59835" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:11 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59835" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:26 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59836" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:29 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59836" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:31 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59844" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:33 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59846" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:36 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59846" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:38 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59847" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:41 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59847" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:43 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59848" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:46 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59848" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:48 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59849" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:50 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59850" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:53 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59850" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:55 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59851" dstport="80" tcpflags="SYN" 
2017:11:08-18:58:58 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59851" dstport="80" tcpflags="SYN" 
2017:11:08-18:59:11 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59852" dstport="80" tcpflags="SYN" 
2017:11:08-18:59:14 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59852" dstport="80" tcpflags="SYN" 
2017:11:08-18:59:16 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59853" dstport="80" tcpflags="SYN" 
2017:11:08-18:59:18 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59854" dstport="80" tcpflags="SYN" 
2017:11:08-18:59:21 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59854" dstport="80" tcpflags="SYN" 
2017:11:08-18:59:23 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59855" dstport="80" tcpflags="SYN" 
2017:11:08-18:59:26 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59855" dstport="80" tcpflags="SYN" 
2017:11:08-18:59:28 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59860" dstport="80" tcpflags="SYN" 
2017:11:08-18:59:31 wahine ulogd[4789]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="10:bf:48:b9:86:45" dstmac="00:0e:c4:d0:7c:16" srcip="10.1.2.3" dstip="54.154.104.137" proto="6" length="52" tos="0x00" prec="0x00" ttl="127" srcport="59860" dstport="80" tcpflags="SYN" 

The above is from the complete Firewall log.
Via Resource Monitor, I traced these packets to the program swi_service.exe 

The destination address is an Amazon AWS server so I'm assuming they are setup on elastic infrastructure so the list of IP addresses is always changing.

I'm consistently annoyed that the UTM doesn't manage this itself.
Perhaps I'm missing something.

Thanks for taking a look.

Regards,

Doug