Application Filter - Source and Destination IP mismatch?

Hi,

I'd think source and destination IP is wrong here.

It took me some time to help a user who reported he cannot download a file, we blocked because I could not find his computer with my query for source IP.

We block executabled here.

Other Application filter blocks look OK, eg. accessing blocked applications:



Edited TAGs
[edited by: emmosophos at 5:26 PM (GMT -7) on 22 Jul 2021]
Parents
  • App Control and IPS can be applied on both packets (inbound and outbound). And if the pattern match on the packet coming back, it will be shown in the logs as you see. 

    If you request a download, the data of the file is "coming back from the server" (download). Therefore if the firewall cannot find a download request based on the "get", this packet will be allowed but the IPS/app control will detect a download based on the packets coming back. 

    __________________________________________________________________________________________________________________

  • thank you. this is a web request the XG webfilter sees:

    2021-07-22 13:50:47Web filtermessageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" status="" fw_rule_id="251" user="" user_group="" web_policy_id="4" web_policy="" category="Information Technology" category_type="Acceptable" url="">download.eclipse.org/.../org.w3c.dom.svg_1.1.0.v201011041433.jar" content_type="" override_token="" response_code="" src_ip="172.internalIP" dst_ip="198.41.30.199" protocol="TCP" src_port="51162" dst_port="80" bytes_sent="220" bytes_received="0" domain="download.eclipse.org" exception="" activity_name="" reason="" user_agent="curl/7.58.0" status_code="500" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="2333631424" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

    this requests are then blocked by Application Filter because of executable not allowed.

    I want this blocked but analyzing is just difficult and tricky.

  • Logviewer --> Advanced View --> Search for the IP (not as Destination or Source, instead search for the IP as a String). Should show the web allowing it, but App blocking it. 

    __________________________________________________________________________________________________________________

Reply
  • Logviewer --> Advanced View --> Search for the IP (not as Destination or Source, instead search for the IP as a String). Should show the web allowing it, but App blocking it. 

    __________________________________________________________________________________________________________________

Children
No Data