Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 1988 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FTP - Does not block file extension exe/com

prasanth kk

Hello,

 

I have Sophos UTM 9.5 installed in a virtual machine and i am able to access it with the help of the GUI.

This is my connection:

ubuntu Host0(eth2) --->(eth2) UTM VM (eth1)-->(eth1)ubuntu Host1

I have configured IP addresses in Hosts and as well as in UTM VM and i am able to ping from Host0 to Host1 through UTM.

No i need to do some ftp from Host 1 to get one files from Host0. UTM has to block exe/com files. 

I have added a rule under web filtering to block those files. But i am still able to fetch them.

 

These are the steps i need to do :.

1.Start the FTP server and have the files with different extension 

2. From client, do ftp and get exe and com extension files 

3. From client do ftp and put exe and com extension files 

Expected Results:

1.GET and PUT of exe and com files are blocked with proper error message

2. In the utm content filtering statistics, the Base on extension list counter should increment accordingly

3. Verify the content filtering blocked message in the syslog

Can anyone suggest what i am missing?

 



This thread was automatically locked due to age.
  • 0

    Hello Prasanth,

    first thing that comes to my mind: Web is not FTP, so why do you expect a webfilter to block FTP-things?

    Or are you doing Web-FTP?

    If using the FTP-proxy function of the UTM, you could do it like this:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Hello Philip,

    Thank you. This helped. But i did not see the count increase in statistics for this block anywhere.

    I need : In the utm content filtering statistics, the Base on extension list counter should increment accordingly

     

    Is there an option if you would know where i can see this ?

    Thank you for your advance reply. It will be really helpful.

    Thanks,

    kk

     

  • 0 in reply to prasanth kk

    UTM has three different ways to do FTP filtering.    See the FTP section of this link:

    https://community.sophos.com/products/unified-threat-management/f/recommended-reads/115522/sophos-utm-securing-and-configuring-web-filtering

    Standard Mode Web Filter will intercept FTP addresses issued by a web browser, or issued by an FTP client configured to use Web Proxy mode with UTM as the proxy.   As I have written in many places, I recommend using Standard Mode web to filter browser traffic, and Transparent Mode Web to filter non-browser traffic.   All of the good FTP clients support multiple prxy modes, including web proxy.  Microsoft FTP does not support proxy, but better alternatives are available for free.

    Transparent Mode FTP filter will intercept port 21 traffic from devices that do not use the Standard Mode Web proxy.  It is the natural companion to Transparent Mode Web Filter.

    Standard Mode FTP proxy will cause a web browser to hang if it attempts to access an FTP site, so it should not be used at all.

    Standard Mode Web Filter is a more powerful and more effective tool than Transparent Mode FTP, so one option is to make it the only allowed proxy method.   To do that, disable Transparent Mode FTP, and also block port 21 with Firewall Rules.  Any traffic that does not use the Standard Mode proxy will then be blocked.

  • 0

    Since you asked a version of this question twice, I have deleted the other question.

  • 0 in reply to DouglasFoster

    Hello,

    Merry Christmas !

    Thank you very much for your time and kind help.

    I am not able to FTP if i have UTM in between my two hosts.

    I followed the steps correctly. I tried between the hosts without UTM and FTP works.

    It would be great if someone help me out on the below.

    I am getting the following error.

    2019:12:25-21:35:12 frox[7981]: Connect from 70.0.0.2(ip-70-0-0-2)
    2019:12:25-21:35:12 frox[7981]: ... to 80.0.0.2()
    2019:12:25-21:35:12 frox[7981]: Denied by ACLs.
    2019:12:25-21:35:12 frox[7981]: Closing session
     
    Thanks.
     
  • 0 in reply to prasanth kk

    Hi Prasanth,

    You will find that you get better, faster help here if you present "raw" information instead of describing what you did.  The lines from the FTP log are very helpful.  Now, please show pictures of the 'Global' and 'Advanced' tabs of 'FTP'.

    If you are attempting access via a web browser, show us the URL you're using.  If Web Filtering is in Standard mode, show us a picture of 'Allowed Target Services' on the 'Misc' tab of 'Filtering Options'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML