This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

invalid traffic 18.203.200.196 .....hydra.sophos.com

SGH over 1 year ago

our firewall XGS2100 (SFOS 19.5.2 MR-2-Build624) makes connection to:

18.203.200.196
utm-cloudstation-eu-west-1.prod.hydra.sophos.com

all Denied with invalid traffic

Firewall	2023-05-20 15:34:01	Invalid Traffic	Denied	N/A	37.153.x	18.203.200.196	19710	443	TCP	Open PCAP	Invalid TCP state.	1
Firewall	2023-05-20 15:34:01	Invalid Traffic	Denied	N/A	18.203.200.196	37.153.x	443	19710	TCP	Open PCAP	Invalid TCP state.	1
Firewall	2023-05-20 15:34:00	Invalid Traffic	Denied	N/A	18.203.200.196	37.153.x	443	19710	TCP	Open PCAP	Invalid TCP state.	1
Firewall	2023-05-20 15:34:00	Invalid Traffic	Denied	N/A	37.153.x	18.203.200.196	19710	443	TCP	Open PCAP	Invalid TCP state.	1
Firewall	2023-05-20 15:34:00	Invalid Traffic	Denied	N/A	37.153.x	18.203.200.196	19710	443	TCP	Open PCAP	Invalid TCP state.	1
Firewall	2023-05-20 15:34:00	Invalid Traffic	Denied	N/A	18.203.200.196	37.153.x	443	19710	TCP	Open PCAP	Invalid TCP state.	2

Is this by design?

Do I need to allow traffic?

2023-05-20 15:34:00Firewallmessageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" fw_rule_name="" fw_rule_section="" nat_rule_id="0" nat_rule_name="" policy_type="0" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="0" gw_name_request="" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="0" sdwan_route_name_request="" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="" in_display_interface="" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="18.203.200.196" src_country="IRL" dst_ip="37.153.x" dst_country="NLD" protocol="TCP" src_port="443" dst_port="19710" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP state." appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0"

This thread was automatically locked due to age.

0 rfcat_vk over 1 year ago

Hi,

there appears to be a network issue possibly with your WAN interface NIC. Normally a firewall rule is not required for access to the up2date servers because the connections are all done outside (WAN) to the user firewall configuration.

Ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 alan weir over 1 year ago in reply to rfcat_vk

A search here for the domain hydra.sophos.com indicates it is some form of Sophos mail gateway server. An online ping and tracert reveals nothing, but a DNS lookup shows it resolves to an AWS domain. It might be on a blacklist....based on other posts here in the forums.

According to what the log says: "invalid TCP state", you posted about this in another thread one year ago and Lucar Toni replied....

Invalid TCP state is sometimes asymmetrical routing. Means the packet arrives from a different interface, as the firewall expect. If the old firewall was a different IP address, the routing is messed up in some installations.
Cancel
Vote Up 0 Vote Down

Cancel
0 SGH over 1 year ago in reply to rfcat_vk

Hi,
the workstation on LAN can make connection to the secure website

https[:]//utm-cloudstation-eu-west-1.prod.hydra.sophos.com
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 1 year ago in reply to SGH

Hello there,

Thank you for contacting the Sophos Community.

Do you have Sophos Endpoint installed in your computer, and or is the Firewall registered to Central?

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 1 year ago

The first question is: Do you have any kind of problems within your network? Or is this just a "question".

Because i am always disabling the Invalid Traffic logging. It is not useful to me.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel