XG port 8090 (IPS error messages) not accessible

Hi Sophos Team,

I did an upgrade of a software appliance and found out, that the generated error message which will be displayed in the browser are not accessible by the clients.

The messages are published through port 8090. You can replicate the issue, e.g. by trying to download EICAR test virus, which triggers the IPS (web malware scanning enabled).

 

Is this a bug or is this a new behavior in v18, which means I have to create a FW rule for this?

Until v17.5 these things were managed automatically by "Administration --> Device Access".

 

My second question on this topic is if there are any details what the "Do not apply this migrated rule to system-destined traffic."-option in the FW rules exactly means amd how we should deal with this.

 

Thanks and Best Regards

Dom

Parents
  • There is a mix of both.

    The new stream based engine has to deal differently with malware scanning. Because XG does not act as a Proxy anymore, it cannot give a direct block page. It will redirect you. Thats the wanted behavior. But the redirect to 8090 needs to work. 

    It will redirect you to the captive portal. Can you check, if the captive portal in Device Access is enabled for this zone? (Port 8090 is captive Portal). 

     

     

    The second question: Please open a new Thread for this to keep one question per Thread. 

    __________________________________________________________________________________________________________________

  • Hello Lucar,

    I would recommend a warning symbol somewhere reasonable to flag to users not using the enforced proxy that the Captive Portal has to be enabled to present blocked messages.

     would this be something reasonable to add to the list to prevent user error?

    I have some customers who disable the Captive Portal.

    Emile

  • It does seem like it's the cause of some confusion. There are a number of key end-user interactions that are driven through port 8090 along with the Captive Portal. I agree it would make sense for us to perhaps change the labelling of that option in the Device Access page to reflect that it has other effects as well.

    Would customers still need another way to disable the captive portal specifically? Or do they just disable it as a matter of hygiene because they believe the port/services to be unused?

    Regards

    Rich

  • Hi Rich,

    I disabled everything unused simply because its a security / hardening practice to minimize the attack surface - and of course for performance / resource usage reasons. :)

    (I‘m just a home user)

    Thanks and Best Regards

    Dom

Reply Children
No Data