This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Timed out Conecction

Hi everyone

Im getting a timed out response from a specific web site, we know is not an UTM issue but we need to avoid the UTM show the template with the "Timeout during conection to server " or an "Connection Timed Out" or "Timeout while reading response from Server" or "connection reset by peer" only in that web because we know that server takes a long time for give a respon and thats the way it is so its ok for us, we know it is maybe not the best practice but doesnt matter for us, is not our server

the web page is http://www.pace.sep.gob.mx and this one is redirecting (dont know why) to a http://www.acuerdo286.sep.gob.mx/acuerdo286 and then go back to http://www.pace.sep.gob.mx We dont know why is working in that way, but it is what it is

Of course both webs are setting in the Filtering options / exceptions with all the checks marked so is entirely skiping the filters and blocks, we also use the Skip Transparent Mode Destination Hosts/Nets all that but didnt work

the only way for make it work was put the users pc´s in the Skip Transparent Mode Source Hosts/Nets , that is working fine, so Ill realy precciate if some one could help us for reach that goal whitout use the skip list

thank for any help.



This thread was automatically locked due to age.
Parents
  • Those URLs test safe, but I get four reputation limit blocks on this URL, which appears to be a certificate revocation check: http :// crl.pki.goog/gsr2/gsr2.crl

    However, I do get a page to load without any errors, and without any special handling.

    Is Sophos wrong, or is the school using a compromised certificate company?

  • This morning, it occurs to me that a certificate revocation check only makes sense if a sites use https, but I have not seen any evidence that your target site uses encryption.   I conclude that the site is infected, and UTM is protecting you from malware, even though your specific symptoms are different from mine.   Suggest that you contact the site owner.

  • For

     

    With ^https?://([A-Za-z0-9.-]*\.)?\.fcmoodle\.televisioneducativa\.gob\.mx  we are done, it is ok now

     

    Didn’t work what you suggest, then I used a different syntax for the skip list and neither work, then I tried something different,  I get a good result when I settled up a Download Throttling with 2048 kbit/s for each source/destination pair, and that works, right now I am using both solutions skip list and throttling but I think the solution was the Throttling

     

    so, the next is another page but it’s the same issue, Aim receiving an “error 404”, no a Sophos error page

     

    what is the difference between this ^https?://([A-Za-z0-9.-]*\.)?\.pace\.sep\.gob\.mx/Pace/login/

    and this

    ^https?://([A-Za-z0-9.-]*\.)?\.pace\.sep\.gob\.mx/

     

    why aim questioning !!, the first line works really fine, but the second did not, why if I only write (on any web browser) one part of the line like – www.pace.sep.gob.mx – doesn’t work ?, why I need to write the entire line in the skip list ? “www.pace.sep.gob/pace/login”, shouldn't work the second option ? why the UTM show a response like timed out or connection reset by peer etc. etc.

     

    so, sorry if aim going to questioning something weird or unusual, but I keep my original concern, how in the UTM can I disable those messages “timed out” , “connection reset” o even better can I edit them to a Spanish response ?

     

    let me explain, we knows it’s not our problem, it’s the way that page works, but the problem its turning into a big trouble for mi because the users only see a SOPHOS message and they don’t understand what it means so they are calling me for solve a problem which it’s something I cannot

     

    I prefer just avoid those messages in that particular list or page !by de way, where can I find a "How to" for the correct syntax in exception list ? Maybe I’m missing something with that, thanks and regards

     

    For Douglas Foster

     

    1)       IPS didnt show any trouble

    2)       What is the difference betwen work with a skip list whit all the check´s marked and only skip the antivirus protection for this page, remember the list im ussing have  the entire skip list marked

    3)       Talking just about us, we are using a good certificated. i dondt know about them !

    4)       About the infected site issue, we (and I mean a several other schooll´s not just us) contact that site and complain about but we have no response

     

    sorry for any late response, but this whole school it's in maintenance mode, and we are running like crazy people with a lot of stuff

     

    Really appreciate your help guys !

  • Unix-based web servers may be case-sensitive, so "Pace" and "pace" may be different.   UTM is Unix-based, so it may also be case-sensitive in it exception matching.  Beyond that, I have not analyzed your regex expressions, because there is an easier solution.

    If you want to apply an exception to everything related to *.pace.sep.gob.mx, the easiest solution is to create a website override for pace.sep.gob.mx, and check the box to include subdomains.   Then apply a user-defined tag to that website.   Finally, create an exception that applies to traffic going to sites with that tag.

    Regex is difficult to get right -- too easy to have unintended allows, too easy to have unintended blocks, and too hard for your successors to understand what you have done.  Tags fix all of that, and the name of the tag can be used to explain its purpose. 

  • with an exception on do a exception with a tag, i already done all what you suggest, even set up two lines, one with the main site (including subdomains check) an another with the subdomain includes in the expresion and also the check for subdomains in that to, so two lines for the same goal

    im going to do the tag solution and see what we get, that kind of solution its new for me, so thanks so much !

  • ok guys, we test the tag solution (thanks Balfson) and looks like it's working, we wait all this time for testing, and this is just for finish this case and say thanks to every one

  • LuisApodaca said:

    what is the difference between this ^https?://([A-Za-z0-9.-]*\.)?\.pace\.sep\.gob\.mx/Pace/login/

    and this

    ^https?://([A-Za-z0-9.-]*\.)?\.pace\.sep\.gob\.mx/

     

    why aim questioning !!, the first line works really fine, but the second did not, why if I only write (on any web browser) one part of the line like – www.pace.sep.gob.mx – doesn’t work ?, why I need to write the entire line in the skip list ? “www.pace.sep.gob/pace/login”, shouldn't work the second option ? why the UTM show a response like timed out or connection reset by peer etc. etc.

     

    BTW, there are several things.  Some of this might just be how you copied it in.

    You have case mismatch as well as a difference if it is .sep.gob/pace or .sep.gob.mx/pace

    But...  neither regex would work as written, you required a period twice.

    you had:

    ^https?://([A-Za-z0-9.-]*\.)?\.pace\.sep\.gob\.mx/

    better:

    ^https?://([A-Za-z0-9.-]*\.)?pace\.sep\.gob\.mx/

    Inside the bracket you had a required period for the subdomain, but then you also had it outside the bracket.  Inside the bracket is better, because it also will match when there is no subdomain at all.

     

    As was stated, RegEx is complex and can be error prone.

     

  • Hi Michael

     

    thanks for answer, i already made the change in the sintax and i think its working even better

     

    btw, where can i find a manual or a how to for have a better knowledge with this syntaxes ?

     

    so, thanks i think this is a really helpfull renspond.

  • 3 answers:

    1 - Copy the out-of-box regex as much as you can.  They are built correctly to prevent unintended matching and being efficient.

    2 - This KB article, which is...  not wrong but in my opinion not always the best.  https://community.sophos.com/kb/en-us/117316

    3 - Sites like https://www.regular-expressions.info/ and text editors like EditPad (made by the same people, but there are lots of others out there).

     

    I personally used EditPad to determine the problem.  You can put that regex directly into the search, tell it to highlight matching lines, then just have a line with the URL.  It makes it easy to modify the regex and see which URLs match.

  • You can Google regular "expression" to find tutorials, Luis, as well as tools like RegEx Tester.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data