Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 34 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 13267 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

So... why are NVIDIA drivers suddenly taboo to download?

Amodin

Not changed a thing on XG, even downloaded these drivers, using the same application, several times in the past. For the first time in weeks, I haven't had to mess with anything.  This worked just fine before.

I even have a 'Safe Downloading' exception for NVIDIA, yet the firewall is denying the download.  Today, the moon or the sun, or someone screwing with something must be the issue.  Had this happen before on UTM with Windows Updates, and then it magically fixed itself days later. 

What prompts this behavior to change and decide, "Oh well today I think it's okay, so I'm going to allow a download.  Yesterday didn't work for me."

I really don't understand this logic with the firewall.

messageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" fw_rule_id="5" fw_rule_name="#Default_Network_Policy" fw_rule_section="Local rule" user="" user_group="" web_policy_id="12" web_policy="Default Policy" category="Download Freeware & Shareware" category_type="Objectionable" url="">international-gfe.download.nvidia.com" content_type="" override_token="" src_ip="172.18.0.98" dst_ip="192.229.211.70" protocol="TCP" src_port="63610" dst_port="443" bytes_sent="0" bytes_received="0" domain="international-gfe.download.nvidia.com" exception="" activity_name="" reason="" user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="3501233152" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"


This thread was automatically locked due to age.
  • 0 in reply to Amodin

    Can you show the block web filter entry and also the regex? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni
    2023-06-21 14:04:43
    messageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" fw_rule_id="5" fw_rule_name="#Default_Network_Policy" fw_rule_section="Local rule" user="" user_group="" web_policy_id="12" web_policy="Default Policy" category="Download Freeware & Shareware" category_type="Objectionable" url="">us.download.nvidia.com" content_type="" override_token="" src_ip="172.18.0.130" dst_ip="192.229.211.70" protocol="TCP" src_port="40178" dst_port="443" bytes_sent="0" bytes_received="0" domain="us.download.nvidia.com" exception="" activity_name="" reason="" user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="4119268800" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

    ^[A-Za-z0-9.-]*\.download\.nvidia\.com/

    I just tried again today, and the only thing I've changed since the original post was the regex, which my original regex is in an above post.

    If I add the Shareware/Freeware category, it works.

    This time, I did not use GeForce Experience to download the driver, this was a driver update in Linux Mint OS, which is a requirement to update the video driver before I can install my 3d printer program.

    You should also take note that the DNS names listed in these two filter logs are both pointing to the same DST IP, so... yeah.

    EDIT: Just added the category to this exception, and it's installing. 

    2023-06-21 14:16:55
    messageid="16001" log_type="Content Filtering" log_component="HTTP" log_subtype="Allowed" fw_rule_id="5" fw_rule_name="#Default_Network_Policy" fw_rule_section="Local rule" user="" user_group="" web_policy_id="12" web_policy="Default Policy" category="Download Freeware & Shareware" category_type="Objectionable" url="">us.download.nvidia.com" content_type="" override_token="" src_ip="172.18.0.130" dst_ip="192.229.211.70" protocol="TCP" src_port="43326" dst_port="443" bytes_sent="3391665" bytes_received="341977606" domain="us.download.nvidia.com" exception="av,https,validation,policy,zero-day protection" activity_name="" reason="" user_agent="" status_code="0" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1496357440" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin
    Amodin said:
    EDIT: Just added the category to this exception, and it's installing. 

    I was almost going to recommend creating a FQDN host definition for download.nvidia.com, and then creating a new webfilter policy allowing shareware & freeware, then add a firewall rule that allows this Nvidia FQDN as the destination, using the newly created web filter policy.

    convoluted approach???

  • 0 in reply to alan weir

    It's basically doing exactly what I did here.  The point of all this is:  It's not Shareware, it bypasses firewall rules when you apply a category that should otherwise be blocked, and it wasn't ever like this to begin with until recently when someone got the notion to think drivers were shareware.  SMH.

    You can't even use the excuse of using GeForce Experience because directly downloading drivers through an operating system has the same issue.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Why is Nvidia not Share/Freeware? Isnt this the definition of Freeware, if you can download it without any restricition and use it? https://en.wikipedia.org/wiki/Freeware 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The issue is that the nvidia drivers are more like Software Updates than shareware and should be categorized as that. The categorization makes no distinction between Freeware and Shareware which are lumped together as an umbrella term in the same category.

    The other issue is that even though Amodin was blocking downloads from China, the driver downloads were allowed once the Shareware exception was made, because of your explanation above.

    Which is why granularity rules are recommended, and the web exception should now only allow nvidia driver downloads from China/U.S. with no risk of allowing other downloads from China.

  • 0 in reply to alan weir

    Try: ^[A-Za-z0-9.-]*\.download\.nvidia\.com/

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Then by your definition, any driver set to update a computer or peripheral should be categorized as Shareware/Freeware and blocked as such, including but not limited to, Microsoft Updates.  Drivers are no different.

    LuCar Toni said:
    Try: ^[A-Za-z0-9.-]*\.download\.nvidia\.com/

    This is exactly the same regex that I posted above, and it doesn't work either.

    alan weir said:
    Which is why granularity rules are recommended, and the web exception should now only allow nvidia driver downloads from China/U.S. with no risk of allowing other downloads from China.

    But that's the thing, today was not a China-based CDN, and frankly neither was the original one, as it went to the same IP address, which is U.S. based on ARIN and ASN number.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    How would an actual network admin handle this issue? Do most companies just contact Sophos support, and they remotely administer the firewall? Wanting to know how it is actually handled in a real world scenario, and the correct, recommended method. 

  • 0 in reply to Amodin

    Based on Lucar’s answer all software and firmware updates should be classified as shareware eg XG firmware updates anti whatever to the desktop etc.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML