Dropbox is being blocked

Hi, I am running Dropbox on my machines, and as of today, I get an unable to connect message. In the past, this has worked with no problems. I can see that I have received pattern updates etc. but that is it.

Verison SFOS 17.5.5 MR-5

=======================================

Drop-packet-capture:

 drop-packet-capture 'host 192.168.1.212'

2019-06-23 19:55:14 010202124 IP 192.168.1.212.54491 > 162.125.83.7.443 : proto TCP: R 2647634639:2647634639(0) checksum : 53417

0x0000:  4500 0028 0000 4000 4006 82cf c0a8 01d4  E..(..@.@.......

0x0010:  a27d 5307 d4db 01bb 9dcf b2cf 0000 0000  .}S.............

0x0020:  5004 0000 d0a9 0000                      P.......

Date=2019-06-23 Time=19:55:14 log_id=010202124 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev= inzone_id=1 outzone_id=2 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.212 dest_ip=162.125.83.7 l4_protocol=TCP source_port=54491 dest_port=443 fw_rule_id=7 policytype=2 live_userid=1 userid=15 user_gp=2 ips_id=12 sslvpn_id=0 web_filter_id=1 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=1 app_category_id=5 app_id=100 category_id=49 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=1 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=88 gateway_offset=0 max_session_bytes=1 drop_fix=0 ctflags=1241547786 connid=1514500400 masterid=0 status=430 state=8 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

Date=2019-06-23 Time=19:55:19 log_id=0103021 log_type=Firewall log_component=Local_ACLs log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1 out_dev= inzone_id=1 outzone_id=4 source_mac=f0:18:98:84:d4:73 dest_mac=ff:ff:ff:ff:ff:ff l3_protocol=IP source_ip=192.168.1.212 dest_ip=255.255.255.255 l4_protocol=UDP source_port=17500 dest_port=17500 fw_rule_id=0 policytype=0 live_userid=1 userid=15 user_gp=2 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=1076147360 masterid=0 status=256 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

 

2019-06-23 19:55:19 010202130 IP 192.168.1.212.53961 > 162.125.83.3.443 : proto TCP: R 1545099583:1545099583(0) win 4095 checksum : 12093

0x0000:  4500 0028 0000 4000 4006 82d3 c0a8 01d4  E..(..@.@.......

0x0010:  a27d 5303 d2c9 01bb 5c18 593f 241c 0a9f  .}S.....\.Y?$...

0x0020:  5014 0fff 2f3d 0000                      P.../=..

Date=2019-06-23 Time=19:55:19 log_id=010202130 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev= out_dev= inzone_id=0 outzone_id=0 source_mac= dest_mac= l3_protocol=IP source_ip=192.168.1.212 dest_ip=162.125.83.3 l4_protocol=TCP source_port=53961 dest_port=443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 proxy_flags=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A

=======================================

Under Protect - Web - Exceptions:

Matching URLs:
^([A-Za-z0-9.-]*\.)?dropbox\.com\.?/
HTTPS decryption
Malware and content scanning
Sandstorm
Policy checks

 

Legacy HTTPS Exceptions
URLs that were automatically skipped for HTTPS Decryption on earlier versions of XG Firewall.
Matching URLs:
alicebusiness.it
contacts.msn.com
deluxe.com
dropbox.com
federalreserve.org
iataindia.org
login.live.com
logmein.com
HTTPS decryption

Policy checks

Destination tcp://162.125.83.3:443
Destination IP 162.125.83.3, port 443, TCP
Source IP 192.168.1.212
Source zone Auto-detection
User dan mbp (Clientless user)
Result Allowed
Firewall rule Rach and Dan (ID: 7)
  • Those Packets in Drop Packet capture are Reset packets.

    https://community.sophos.com/kb/en-us/131754

    So their are "fine". 

    The issue could be somewhere else. 

    Try to disable HTTPs Scanning (Decrypt and scan) and rerun your test. 

  • In reply to LuCar Toni:

    Hi,

     

    Disabling HTTPs Scanning resolves the issue.

     

    Can you advise where I should look next?

     

    Thanks

  • In reply to LuCar Toni:

    Thanks,

    According to the list from your link which takes you to: https://help.dropbox.com/accounts-billing/security/official-domains

     

    These are the following Regex that I see that needs to be added.

    As I am not fantastic at Regex could you please advise if I put them in the correct format, in particular the two bold expressions below?

     

    ^([A-Za-z0-9.-]*\.)?db\.tt\.?/
    ^([A-Za-z0-9.-]*\.)?dropboxapi\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropboxbusiness\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropboxcaptcha\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropboxforums\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropboxforum\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropboxinsiders\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropboxmail\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropboxpartners\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropboxstatic\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropbox.zendesk\.com\.?/
    ^([A-Za-z0-9.-]*\.)?getdropbox\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropbox\.com\.?/
    ^([A-Za-z0-9.-]*\.)?arkoselabs\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropbox-dns\.com\.?/
    ^([A-Za-z0-9.-]*\.)?paper-attachments.s3.amazonaws\.com\.?/
    ^([A-Za-z0-9.-]*\.)?dropboxusercontent\.com\.?/

     

    Thank you.

  • In reply to Daniel Bingham:

    Hi Daniel,

    I would suspect that you have a web policy blocking dropbox? I have https scanning enabled and I can access dropbox without any exceptions.

    Rather than add all those exceptions I would suggest you review your web and application policies.

    What happens if you have https scanning enabled and set the firewall rule web and application policies to allow all?

    Ian

  • In reply to rfcat_vk:

    Hi Ian,

     

    As per my original post, I have Allow All on the web policy and allow all on app policies too, and as per my original post, running policy checks comes back as allowed to Dropbox.

     

    Regex's mightn't be the way forward, but if it works, I am happy. I will check later today if they did.

     

    Thanks

     

     

  • In reply to Daniel Bingham:

    Hi Daniel,

    sorry, I found your original post a little confusing.

    I ran the policy tested against dropbox and found it uses the default web policies.

    The other strange thing is the policy tester reports out as dropbox using port 80.

    Ian

  • In reply to rfcat_vk:

    You are seeing the exact same thing as I did in policy test which makes it very confusing.

     

    Also, in the drop-packet-capture it doesn't show any "blocks" as such. It is a very peculiar situation that only started last week after a pattern update. (I am unsure if the pattern update is to blame or its coincidence though).

     

  • In reply to Daniel Bingham:

    Hi Daniel,

    there was a new ATP release on the 24th of June but that one is too recent to explain your issue. There is something odd with your rule because as I advised earlier I don't have any exceptions including the legacy exception for dropbox and can connect.

    Thought I should retest dropbox only to find it has vanished. I can access the web version without an issue.

    Ian

  • In reply to rfcat_vk:

    The web link works perfectly for me too, it is the dropbox syncing within the app that is the issue.

     

    I should have made that clearer in my original post.

     

  • In reply to Daniel Bingham:

    Sorry can't help with that because I don't use dropbox synch at the moment.

    Ian

    Dropbox primarily uses ports TCP 80 and TCP 443.

    It also uses TCP Port 7600 and TCP 17603 for the web-based “Open” button, and TCP Port 17500 for the LAN Sync feature. LAN Sync is different from the regular sync feature – it performs sync operations between computers on the same LAN and shouldn’t connect to the outside internet.

    Dropbox does not require any public-facing open ports to operate. It initiates the outbound connections to the Dropbox server, and uses this for all communications.

  • Thanks to a super helpful Sophos employee, they assisted with the Regular expressions that had to be entered to get Dropbox Sync working again.

     

    For future, here are the RegEx's to enter:

     

    ^([A-Za-z0-9.-]*\.)?db\.tt/
    ^([A-Za-z0-9.-]*\.)?dropbox\.com/
    ^([A-Za-z0-9.-]*\.)?dropboxapi\.com/
    ^([A-Za-z0-9.-]*\.)?dropboxbusiness\.com/
    ^([A-Za-z0-9.-]*\.)?dropboxcaptcha\.com/
    ^([A-Za-z0-9.-]*\.)?dropboxforums\.com/
    ^([A-Za-z0-9.-]*\.)?dropboxforum\.com/
    ^([A-Za-z0-9.-]*\.)?dropboxinsiders\.com/
    ^([A-Za-z0-9.-]*\.)?dropboxmail\.com/
    ^([A-Za-z0-9.-]*\.)?dropboxpartners\.com/
    ^([A-Za-z0-9.-]*\.)?dropboxstatic\.com/
    ^([A-Za-z0-9.-]*\.)?dropbox\.zendesk\.com/
    ^([A-Za-z0-9.-]*\.)?getdropbox\.com/
    ^([A-Za-z0-9.-]*\.)?instructorledlearning\.dropboxbusiness\.com/
    ^([A-Za-z0-9.-]*\.)?paper\.dropbox\.com/
     
     
    Other Verified Domains:
    ^([A-Za-z0-9.-]*\.)?cdn\.arkoselabs\.com/
    ^([A-Za-z0-9.-]*\.)?dropbox-api\.arkoselabs\.com/
    ^([A-Za-z0-9.-]*\.)?dropbox-dns\.com/
    ^([A-Za-z0-9.-]*\.)?google\.com/
    ^([A-Za-z0-9.-]*\.)?paper-attachments\.s3\.amazonaws\.com/