We'd love to hear about it! Click here to go to the product suggestion community
Hi, I am running Dropbox on my machines, and as of today, I get an unable to connect message. In the past, this has worked with no problems. I can see that I have received pattern updates etc. but that is it.
Verison SFOS 17.5.5 MR-5
drop-packet-capture 'host 192.168.1.212'
2019-06-23 19:55:14 010202124 IP 192.168.1.212.54491 > 126.96.36.199.443 : proto TCP: R 2647634639:2647634639(0) checksum : 53417
0x0000: 4500 0028 0000 4000 4006 82cf c0a8 01d4 E..(..@.@.......
0x0010: a27d 5307 d4db 01bb 9dcf b2cf 0000 0000 .}S.............
0x0020: 5004 0000 d0a9 0000 P.......
Date=2019-06-23 Time=19:55:14 log_id=010202124 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev= inzone_id=1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.212 dest_ip=188.8.131.52 l4_protocol=TCP source_port=54491 dest_port=443 fw_rule_id=7 policytype=2 live_userid=1 userid=15 user_gp=2 ips_id=12 sslvpn_id=0 web_filter_id=1 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=1 app_category_id=5 app_id=100 category_id=49 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=88 gateway_offset=0 max_session_bytes=1 drop_fix=0 ctflags=1241547786 connid=1514500400 masterid=0 status=430 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
Date=2019-06-23 Time=19:55:19 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4 source_mac=f0:18:98:84:d4:73 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.212 dest_ip=255.255.255.255 l4_protocol=UDP source_port=17500 dest_port=17500 fw_rule_id=0 policytype=0 live_userid=1 userid=15 user_gp=2 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=1076147360 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
2019-06-23 19:55:19 010202130 IP 192.168.1.212.53961 > 184.108.40.206.443 : proto TCP: R 1545099583:1545099583(0) win 4095 checksum : 12093
0x0000: 4500 0028 0000 4000 4006 82d3 c0a8 01d4 E..(..@.@.......
0x0010: a27d 5303 d2c9 01bb 5c18 593f 241c 0a9f .}S.....\.Y?$...
0x0020: 5014 0fff 2f3d 0000 P.../=..
Date=2019-06-23 Time=19:55:19 log_id=010202130 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev= inzone_id=0 outzone_id=0 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.212 dest_ip=220.127.116.11 l4_protocol=TCP source_port=53961 dest_port=443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
Under Protect - Web - Exceptions:
Apply "Allow All" app filter, "Allow All" web filter, IPS, for "rach mbp " and " dan mbp" users, when in "LAN" zone, and coming from any network, decrypt and scan for malware
rach mbp,dan mbp
Source : Minimum heartbeat is No restriction, Clients with no heartbeat allowedDestination : Minimum heartbeat is No restriction, Request to destination with no heartbeat allowedMasquerading is ON
Is there anything else I should be looking for?
Those Packets in Drop Packet capture are Reset packets.
So their are "fine".
The issue could be somewhere else.
Try to disable HTTPs Scanning (Decrypt and scan) and rerun your test.
In reply to LuCar Toni:
Disabling HTTPs Scanning resolves the issue.
Can you advise where I should look next?
In reply to Daniel Bingham:
You need to specify HTTPs Exceptions.
According to the list from your link which takes you to: https://help.dropbox.com/accounts-billing/security/official-domains
These are the following Regex that I see that needs to be added.
As I am not fantastic at Regex could you please advise if I put them in the correct format, in particular the two bold expressions below?
I would suspect that you have a web policy blocking dropbox? I have https scanning enabled and I can access dropbox without any exceptions.
Rather than add all those exceptions I would suggest you review your web and application policies.
What happens if you have https scanning enabled and set the firewall rule web and application policies to allow all?
In reply to rfcat_vk:
As per my original post, I have Allow All on the web policy and allow all on app policies too, and as per my original post, running policy checks comes back as allowed to Dropbox.
Regex's mightn't be the way forward, but if it works, I am happy. I will check later today if they did.
sorry, I found your original post a little confusing.
I ran the policy tested against dropbox and found it uses the default web policies.
The other strange thing is the policy tester reports out as dropbox using port 80.
You are seeing the exact same thing as I did in policy test which makes it very confusing.
Also, in the drop-packet-capture it doesn't show any "blocks" as such. It is a very peculiar situation that only started last week after a pattern update. (I am unsure if the pattern update is to blame or its coincidence though).
there was a new ATP release on the 24th of June but that one is too recent to explain your issue. There is something odd with your rule because as I advised earlier I don't have any exceptions including the legacy exception for dropbox and can connect.
Thought I should retest dropbox only to find it has vanished. I can access the web version without an issue.
The web link works perfectly for me too, it is the dropbox syncing within the app that is the issue.
I should have made that clearer in my original post.
Sorry can't help with that because I don't use dropbox synch at the moment.
Dropbox primarily uses ports TCP 80 and TCP 443.
It also uses TCP Port 7600 and TCP 17603 for the web-based “Open” button, and TCP Port 17500 for the LAN Sync feature. LAN Sync is different from the regular sync feature – it performs sync operations between computers on the same LAN and shouldn’t connect to the outside internet.
Dropbox does not require any public-facing open ports to operate. It initiates the outbound connections to the Dropbox server, and uses this for all communications.
Thanks to a super helpful Sophos employee, they assisted with the Regular expressions that had to be entered to get Dropbox Sync working again.
For future, here are the RegEx's to enter: