This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

bad pattern updates......AGAIN????

Current pattern updates v208978. Blocking App Store courier.push.apple.com/


sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.50.20" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_HttProContaInterNetwo3 (Internal filter profile)" filteraction="REF_DefaultHTTPCFFAction (Content filter (Internal Network))" size="0" request="0x8c7e3100" url="">courier.push.apple.com/" referer="" error="Host not found" authtime="0" dnstime="236" aptptime="127" cattime="30401" avscantime="0" fullreqtime="46490" device="0" auth="0" ua="" exceptions="av,sandbox,fileextension" category="105" reputation="trusted" categoryname="Business"

Can anyone confirm we have a bad pattern updates v206808?  Can't connect to App Store blocking url https://courier.push.apple.com

action="block" method="CONNECT" srcip="192.168.50.20" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_HttProContaInterNetwo3 (Internal filter profile)" filteraction="REF_DefaultHTTPCFFAction (Content filter (Internal Network))" size="0" request="0x9db16e00" url="https://courier.push.apple.com/" referer="" error="Host not found" authtime="0" dnstime="19295" aptptime="125" cattime="156" avscantime="0" fullreqtime="20543" device="0" auth="0" ua="" exceptions="av,sandbox,fileextension" category="105" reputation="trusted" categoryname="Business"
2022:02:26-18:52:38 httpproxy[14863]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked"

Thanks



This thread was automatically locked due to age.
  • I tried this.  Didn't work. Thing is, I am connecting, and the logs tell me I get an update.  Other patterns appear to be updating, but the pattern version itself (206808) is not updating.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • It sounds and looks like there is no update to be downloaded and installed,  It may be the situation talked about earlier that the updates on the weekends come from Ukraine Sophos brains and they're having issues right now.  Let's hope for better outcomes Monday.  THanks Amodin

  • I tried a few minutes ago.  I first changed patterns to manual, applied it, then told it to update - nothing.  Leaving it at manual, I turned off IPS and portscan.  Waited a few minutes.  Turned portscan and IPS back on after changing pattern updates back to 15 min:

    2022:02:27-21:03:42 amodin audld[1056]: no HA system or cluster node
    2022:02:27-21:03:42 amodin audld[1056]: patch up2date possible
    2022:02:27-21:03:42 amodin audld[1056]: Starting Secured Up2Date Package Downloader
    2022:02:27-21:03:42 amodin audld[1056]: Secured Up2date Authentication
    2022:02:27-21:03:42 amodin audld[1056]: id="3701" severity="info" sys="system" sub="up2date" name="Authentication successful"
    2022:02:27-21:03:45 amodin audld[1056]: id="3707" severity="info" sys="system" sub="up2date" name="Successfully synchronized fileset" status="success" action="download" package="ipsbundle2"
    2022:02:27-21:03:45 amodin auisys[1156]: no HA system or cluster node
    2022:02:27-21:03:45 amodin auisys[1156]: waiting for db_verify to return (30 seconds max)
    2022:02:27-21:03:46 amodin auisys[1156]: not cleaning /var/up2date/sys-install in --nosys mode
    2022:02:27-21:03:46 amodin auisys[1156]: removing '/var/up2date/appctrl43-install'
    2022:02:27-21:03:46 amodin auisys[1156]: removing '/var/up2date/aptp-install'
    2022:02:27-21:03:46 amodin auisys[1156]: removing '/var/up2date/aws-install'
    2022:02:27-21:03:46 amodin auisys[1156]: removing '/var/up2date/cadata-install'
    2022:02:27-21:03:46 amodin auisys[1156]: removing '/var/up2date/geoip-install'
    2022:02:27-21:03:46 amodin auisys[1156]: removing '/var/up2date/geoipxtipv6-install'
    2022:02:27-21:03:46 amodin auisys[1156]: removing '/var/up2date/ipsbundle2-install'
    2022:02:27-21:03:46 amodin auisys[1156]: removing '/var/up2date/man9-install'
    2022:02:27-21:03:46 amodin auisys[1156]: removing '/var/up2date/ohelp9-install'
    2022:02:27-21:03:46 amodin auisys[1156]: removing '/var/up2date/sasi-install'
    2022:02:27-21:03:46 amodin auisys[1156]: removing '/var/up2date/savi-install'
    2022:02:27-21:03:46 amodin auisys[1156]: Starting Up2Date Package Installer
    2022:02:27-21:03:46 amodin auisys[1156]: No suitable packages of type <man9> found, skipping
    2022:02:27-21:03:46 amodin auisys[1156]: No suitable packages of type <aws> found, skipping
    2022:02:27-21:03:46 amodin auisys[1156]: No suitable packages of type <appctrl43> found, skipping
    2022:02:27-21:03:46 amodin auisys[1156]: No suitable packages of type <ohelp9> found, skipping
    2022:02:27-21:03:46 amodin auisys[1156]: No suitable packages of type <geoipxtipv6> found, skipping
    2022:02:27-21:03:46 amodin auisys[1156]: No suitable packages of type <aptp> found, skipping
    2022:02:27-21:03:46 amodin auisys[1156]: No suitable packages of type <cadata> found, skipping
    2022:02:27-21:03:46 amodin auisys[1156]: No suitable packages of type <geoip> found, skipping
    2022:02:27-21:03:46 amodin auisys[1156]: No suitable packages of type <sasi> found, skipping
    2022:02:27-21:03:46 amodin auisys[1156]: No suitable packages of type <savi> found, skipping
    2022:02:27-21:03:46 amodin auisys[1156]: Install u2d packages <ipsbundle2>
    2022:02:27-21:03:46 amodin auisys[1156]: Starting installing up2date packages for type 'ipsbundle2'
    2022:02:27-21:03:46 amodin auisys[1156]: no u2d-ipsbundle2 RPM installed
    2022:02:27-21:03:46 amodin auisys[1156]: Installing up2date package: /var/up2date/ipsbundle2/u2d-ipsbundle2-9.621.tgz.gpg
    2022:02:27-21:03:46 amodin auisys[1156]: Verifying up2date package signature
    2022:02:27-21:03:47 amodin auisys[1156]: Unpacking installation instructions
    2022:02:27-21:03:47 amodin auisys[1156]: parsing installation instructions
    2022:02:27-21:03:47 amodin auisys[1156]: Unpacking up2date package container
    2022:02:27-21:03:47 amodin auisys[1156]: Running pre-installation checks
    2022:02:27-21:03:47 amodin auisys[1156]: Starting up2date package installation
    2022:02:27-21:04:03 amodin auisys[1156]: id="371Z" severity="info" sys="system" sub="up2date" name="Successfully installed Up2Date package" status="success" action="install" package_version="9.621" package="ipsbundle2"
    2022:02:27-21:04:03 amodin auisys[1156]: [INFO-306] New Pattern Up2Dates installed
    2022:02:27-21:04:04 amodin auisys[1156]: Up2Date Package Installer finished, exiting
    2022:02:27-21:04:04 amodin auisys[1156]: id="3716" severity="info" sys="system" sub="up2date" name="Up2Date Package Installer finished, exiting"
    2022:02:27-21:11:01 amodin audld[2441]: no HA system or cluster node
    2022:02:27-21:11:01 amodin audld[2441]: patch up2date possible
    2022:02:27-21:11:01 amodin audld[2441]: Starting Secured Up2Date Package Downloader
    2022:02:27-21:11:02 amodin audld[2441]: Secured Up2date Authentication
    2022:02:27-21:11:02 amodin audld[2441]: id="3701" severity="info" sys="system" sub="up2date" name="Authentication successful"

    So the IPS bundles are updating because the last version I saw was 9.50-something, and here it's 9.6.  SAVI is also appearing to update its version.  

    I can also ping us1 and us2 Sophos up2d sites from the UTM and get the AWS responses from them, so they are responding to ICMP at least, lol.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Thank you Amodin, that's good news, hopefully the day will be calmer in Europe and someone will address this.  Hope you have a good day and week.

  • 2022:02:28-09:22:31 isecsolutions httpproxy[14863]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.50.31" dstip="209.197.3.8" user="" group="" ad_domain="" statuscode="504" cached="0" profile="REF_HttProContaInterNetwo3 (Internal filter profile)" filteraction="REF_DefaultHTTPCFFAction (Content filter (Internal Network))" size="0" request="0x95845100" url="ctldl.windowsupdate.com/.../pinrulesstl.cab" referer="" error="Connection to server timed out" authtime="0" dnstime="1133" aptptime="50922" cattime="566095" avscantime="0" fullreqtime="122250814" device="0" auth="0" ua="Microsoft-CryptoAPI/10.0" exceptions="av,sandbox,fileextension" category="175" reputation="trusted" categoryname="Software/Hardware" country="United States" country="United States" application="winupdat" app-id="596"
    2022:02:28-09:22:55

    now Windows Update being blocked as well.

  • The following is from AN OLD POST SO IGNORE the errors.....

    >>> Modules::Audld::LocalRestriction::_seek_own_country::130()
    Could not connect to Server us1.utmu2d.sophos.com (status=500 Can't connect to us1.utmu2d.sophos.com:443 (timeout)).

    >>> Modules::Audld::LocalRestriction::_seek_own_country::130()
    Could not connect to Server us2.utmu2d.sophos.com (status=500 Can't connect to us2.utmu2d.sophos.com:443 (timeout)).

    >>> Modules::Audld::LocalRestriction::_seek_own_country::130()
    Could not connect to Server sg1.utmu2d.sophos.com (status=500 Can't connect to sg1.utmu2d.sophos.com:443 (timeout)).

    >>> Modules::Audld::LocalRestriction::_seek_own_country::130()
    Could not connect to Server eu1.utmu2d.sophos.com (status=500 Can't connect to eu1.utmu2d.sophos.com:443 (timeout)).

    >>> Modules::Audld::LocalRestriction::_seek_own_country::130()
    Could not connect to Server eu2.utmu2d.sophos.com (status=500 Can't connect to eu2.utmu2d.sophos.com:443 (timeout)).

    but at least it gives what may still be the upmu2d nslookup names.  appears they're all on amazon aws which is never ever good, single point of failure.  I hope someone from sophos logs into here and reads this and looks into it,  many of us don't have time to call sophos tech support and wait on hold for hours and still not get resolution.  Is some employee from sophos reading this???

  • I was wondering restoring to 9.708-6 would also restore previous pattern updates?

  • That would be interesting,,,, let me see if i can do that, i have some virtual sophos UTMs... let me see if there is a restore point. please hold, i'll do it now

  • powering back on a VM utm 9.708 that worked just fine.... will see if pattern update works.