Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MALWARE AND CONTENT SCANNING

the course is saying that its recommended to use "Malware and content scanning" instead of "Filtering common web ports" So ive done some testing to check if malware will be blocked if i'll set only "malware and content scanning" unfortunately, files sended with no  problem. Ive attached screens from policy of FW rule and ssl/tls rule. Also ive added via Console non-standard port for https and ftp <- but ftp is a different story. 

 

 

BUT if im setting options below(screenshot) it does working. Tested malware are blocked and i can see it in the LOGS.



This thread was automatically locked due to age.
Parents
  • Roman,

    I tried with eicar, and in my case, XG stops the files with both DPI or Proxy mode.

    Were yours an update from beta or a new installation?

  • I was upgrading it from SFOS 17.5.9 MR-9 to 18 ;)

    I assume that DPI - you have toggled only thoe options as below ? 

    6523.Przechwytywanie2.PNG

    I have done some testing and Malware is blocked only if the security settings are as below, ive try different options but no luck... Im not sure if it must working as is below. Regarding to courses - i think that not ;)

    7870.Przechwytywanie5.PNG

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

  • In theory, with the new DPI, http/s traffic on whatever port the traffic is running, it should be decrypted.

    Here we are talking about FTPS service, which uses TLS but the service is FTP and not HTTP/S.

    could you clarify?

    Thanks

  • Interesting, i would say, with DPI, yes. 

    For HTTP/s on any Port, it works like this way. Now i am not sure, if the same applies for FTP. 

    But you run in other technical challenges. Is your FTP Client able to work with an Decryption Certificate? 

    Filezilla actually supports that, you could use a Switch to allow Man-in-the-Middle.

    Not sure about other FTP Clients. 

    __________________________________________________________________________________________________________________

  • LuCar Toni said:
    But you run in other technical challenges. Is your FTP Client able to work with an Decryption Certificate? 

    Yes, it works!, If you enable TLS Decryption on XG most FTP clients will ask you if you trust the new certificate for the connection. Later on looking at logs you can successfully see that the TLS session has been decrypted.

    The problem here, XG It's not scanning the traffic. Its only scanning default plain-text FTP over port 21.

    On the log viewer and on the Flow Monitor, It doesn't even detect it as FTPS, It shows as TLS connection over non-standard port. While XG in the applications tab have FTPS as a detectable application.

     

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • Can you please show how did ypu setup you fw policy for ftps traffic also rules for ssl/tls tondecrypt the traffic. ive got set it but cant get work regarding to decrypting traffic in logs. ;]

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

  • Prism,

    can you try to enable decrypt and scan on the firewall rule where you are allowing the FTPS traffic to see if the malware is detected?

    Thanks

  • ofcourse ive have set it up but i cant detect any traffic on the rule.

     This is how service is configured. 

     And more detailed 

    ALSO FIREWALL RULE.

    Ticked A security features - maybe here must be selected sth else ?

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

  • Hi Luk,

    Already tried this.

    FTPS traffic is decrypted but isn't scanned.

     

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • I'm using FTPS on passive mode, TLS connection happens over Port 990.
     
    Data is transmitted over Ports 40100:40200.
     
     

     

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • Please open a ticket with support and report the ID here.

    Regards

  • I'm a Home User, the best I can do right now is wait for v18.5 and hope something change about how traffic is scanned on XG, Currently with the new DPI engine is only port agnostic for HTTP traffic, I hope it's fully port agnostic in the future.

    Also there's already an Idea, in Sophos Ideas for XG, for FTP scan on any port. The Idea has made in 2017.

    https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/32248618-ftp-tracking

     

    FTP connections are currently only tracked on:

    SFVH_SO01_SFOS 18.0.0 GA-Build321# cat /etc/snort/etc/snort.conf | grep "run ftp servers on" -A 2
    # List of ports you run ftp servers on
    portvar FTP_PORTS [21,2100,3535]

     

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

Reply
  • I'm a Home User, the best I can do right now is wait for v18.5 and hope something change about how traffic is scanned on XG, Currently with the new DPI engine is only port agnostic for HTTP traffic, I hope it's fully port agnostic in the future.

    Also there's already an Idea, in Sophos Ideas for XG, for FTP scan on any port. The Idea has made in 2017.

    https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/32248618-ftp-tracking

     

    FTP connections are currently only tracked on:

    SFVH_SO01_SFOS 18.0.0 GA-Build321# cat /etc/snort/etc/snort.conf | grep "run ftp servers on" -A 2
    # List of ports you run ftp servers on
    portvar FTP_PORTS [21,2100,3535]

     

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

Children
No Data