More on the latest variant of Petya/Petrwrap/Petyawrap ransomware outbreak here.
We'd love to hear about it! Click here to go to the product suggestion community
I use Sophos UTM 9 and alongside this I use Arlo Netgear cameras.
Netgear say they only need port 80 and 443 open, and all is fine when Web Filtering Standard Option is turned on. As soon as you switch this to Transparent mode, the playback of Live Streaming (which used Flowplayer and Amazon services) stops working. You can use all other functions, just live playback fails with the onscreen error message that the cameras have gone offline.
I have tried setting up an exception as follows
and also put arlo.netgear\.com and subdomains as a trusted site but nothing seems to work.
The weblog only shows the following
2016:01:05-22:29:27 utm httpproxy: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.22" dstip="220.127.116.11" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="203096" request="0xdf99a800" url="arlos3-prod-z1.s3.amazonaws.com/" referer="" error="" authtime="0" dnstime="19444" cattime="0" avscantime="0" fullreqtime="13845978" device="0" auth="0" ua="" exceptions="content,url" application="amazonws" app-id="800"
Any help appreciated
In reply to DarkKnight93:
In reply to EricBieber:
Issues here also using browser (Chrome, IE, Edge tested) in transparent proxy) with all sorts of messages like these in webfiltering live log:
2016:07:09-23:36:46 utm httpproxy: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 193 bytes (HPE_INVALID_METHOD: invalid HTTP method)"
In reply to apijnappels:
I have thousands of these exact messages per hour. Haven't been able to figure it out. It looks like a code bug !
utm httpproxy: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="http_parser_context_execute" file="http_parser_context.c" line="97" message="Unable to parse a http message of 147 bytes (HPE_INVALID_METHOD: invalid HTTP method)"
We are having the exact same issue, UTM 9 with Arlo. You can do everything except view the live feed. When you do, you get :connection failed
I have tested switching between transparent and standard mode and it didnt work.
It appears to be with the Web Filtering. Turn that off or jump on a network that isnt part of the web filter policy and you can view live feed.
I have added arlo, netgear and AWS' websites to the Allow These Websites and subdomains in the Filter action for the main/only policy, no go.
I have added arlo, netgear and AWS' to the Exceptions under Filtering Options, still no go.
I have added arlo, netgear and AWS' to the Websites under Filtering Options, with a trusted reputation, still no go.
I created a App Control Rule under Application Control for all of Amazon Web services, still no go.
When checking the web filtering logs (along with any other), i see nothing at all for my IP, for the base stations IP, for the base stations name or anything for AWS
In reply to Michael Klement:
I eventually got it working
I think it was this that did it in the end Web - Filtering Options - Misc - Transparent Mode Skip List / Add Arlo Netgear or what ever you have called (being the Arlo router) it to both and allow the traffic with the check box.
In reply to NicholasChase:
I have all the addresses listed for Web Protection\Filtering Options\Exceptions
As for your transparent mode skiplist, what did you add/enter in for your "Arlo Netgear" Host Network Definition?
I tried it with the base station IP address and still doesnt work for me.
I also in Web Profiles Misc settings turned on Bypass Streaming.
Thanks for the reply, i have setup everything identical to what you supplied and it is still happening.
If i turn web filtering off, it works. If i turn it on, it doesnt.
I tried switching between Standard and Transparent mode but for both, it doesnt work.
I tried adding all the sites to the "Allow these websites" for the only profile we are using, still doesnt work.
I check the existing and live logs but i cannot find anything referncing the Alro's IP, MAC or Device Name, so i cant get anything out of it.
Timing wise in the web filter logs, it looks like it is these errors (like NicholasChase stated):
Hi, Michael, and welcome to the UTM Community!
Clearly, you're not skipping the Proxy or there would be nothing in the logs. In Standard mode, you must skip the proxy in 'Proxy Settings' in your browser as the 'Transparent Mode Skiplist' applies only to Transparent mode.
In the Skiplist, does the definition for your camera violate #3 in Rulz?
Cheers - Bob