This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AP15 trying to connect to external IP addresses - why?

Good morning,

I hope we are all having a healthy/safe social distancing morning. I am tinkering with my home UTM, now that I seem to have lots of time.

 

I am seeing lots of traffic blocked in my web filter logs from my AP15.

 

2020:03:25-09:56:47 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3270" request="0xe560d100" url="https://34.251.210.199/" referer="" error="" authtime="0" dnstime="0" aptptime="98" cattime="140" avscantime="0" fullreqtime="244564" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"
2020:03:25-09:56:53 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3270" request="0xcc8ca00" url="https://34.249.219.143/" referer="" error="" authtime="0" dnstime="0" aptptime="137" cattime="146" avscantime="0" fullreqtime="236847" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"
2020:03:25-09:56:58 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3264" request="0xc1e1c300" url="https://54.77.16.23/" referer="" error="" authtime="0" dnstime="0" aptptime="97" cattime="123" avscantime="0" fullreqtime="236449" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"

 

 

  1. These hosts all resolve to Sophos Central. Isn't it strange that Sophos' own IPs are listed as uncategorized/unverified?
  2. Why does my AP need to talk externally at all? I have never, nor do I plan to use Sophos Central to manage my UTM in any way.

I have not seen this before, and have always kept all of my core systems (by IP) in a group that gets very restrictive web filter URL blocks.



This thread was automatically locked due to age.
  • Does this phenomenon disappear if you do a disable/enable of Web Filtering?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sorry for the long delay - I am wrapped up in lots of home-schooling, lately.

    Yes, I am still seeing blocks in the web filter, but not the firewall, since March.

    Why would my AP need to talk to the outside world when my UTM pushes FW from inside?

    Here is some sample info from March 22 to 28:

    The same report from Jan 1 to Feb 29:

    When I look at my FW logs, I see lots of RST, but nothing triggering my explicit block from AP15 to any internet IP4:

    Line 58: 2020:03:25-00:01:56 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="54.77.16.23" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="53334" tcpflags="RST" 
    Line 66: 2020:03:25-00:02:34 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="54.77.16.23" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="53341" tcpflags="RST"
    Line 69: 2020:03:25-00:02:50 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="54.77.16.23" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="53344" tcpflags="RST"
    Line 85: 2020:03:25-00:03:49 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="54.77.16.23" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="53355" tcpflags="RST"
    Line 103: 2020:03:25-00:07:46 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="34.249.219.143" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="33003" tcpflags="RST"
    Line 107: 2020:03:25-00:08:02 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="34.251.210.199" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="58824" tcpflags="RST"
    Line 118: 2020:03:25-00:09:29 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="34.251.210.199" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="58840" tcpflags="RST"

    Sophos UTM Home user since 2015

    Running on Q350G4 Core i5-4200U 8GB

  • Good luck with teaching!

    It's normal to see RST packet drops, so you can ignore those blocks.

    Those are Amazon AWS IPs, so, with a home license, I think you're stuck with letting the AP15 do unfiltered web requests.  It looks like you're in Transparent mode, so I'd skip the proxy for all traffic coming from it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks! Teaching and working is a lot to tackle at once!

    Each of those IP addresses in my OP may be AWS, but they lead to Sophos Central (for example: https://54.77.16.23/). Wondering why my AP15 needs to talk to them, and why it talks externally at all. If it needs to check FW updates, isn't that the UTM's job? 

    I also saw in the Flow Monitor last night that a good amount of traffic is still coming from the AP, with the app type, "Sophos Wireless." Just before midnight, when I was looking, it had moved over 1GB of data on port tcp/2712. I don't see it happening right now, but I am wired.

    My main questions are these:

    1. Why does my AP need to talk on it's own IP to the outside world?
    2. Why is it still talking to the outside world when I have it blocked in the FW and the Web Filter?

    Here is my FW rule, placed near the top, with my other In>Out block rules:

      I never see this rule triggered, though.

    Here is the web filter profile:

    And the policy test shows that it should be blocked, and applies the correct profile:

    Also for reference, here is when they were talking more, before I blocked it outright while I investigate:


    Sophos UTM Home user since 2015

    Running on Q350G4 Core i5-4200U 8GB