This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why is this magically an issue all of a sudden with Windows Updates?

Trying to get my Windows Updates, and today I guess the sun isn't hot enough today for it to work?  I've changed nothing, and all of a sudden, things are being blocked.

This has gotten beyond annoying.

2022:07:15-11:04:57 amodin httpproxy[5613]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="172.18.0.98" dstip="72.21.81.200" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdaf9f100" url="http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b93a4287-ff09-40d2-a7fc-e1f80d4f1044?P1=1658432184&P2=404&P3=2&P4=RwaJHzTwTJ9BDw2gGWPYwQnsS8amfmWYzYy2MGX3HsIkjZedMYOe6U%2bHVE9hZoKAzZZ6dZf8xXtXicG20tHcjA%3d%3d" referer="" error="" authtime="0" dnstime="0" aptptime="0" cattime="176" avscantime="0" fullreqtime="37044" device="0" auth="0" ua="Microsoft BITS/7.8" exceptions="av,sandbox,ssl,fileextension,size" category="105" reputation="trusted" categoryname="Business" content-type="application/x-chrome-extension" reason="range"
2022:07:15-11:04:58 amodin httpproxy[5613]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="172.18.0.98" dstip="72.21.81.200" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdaf9f100" url="http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b93a4287-ff09-40d2-a7fc-e1f80d4f1044?P1=1658432184&P2=404&P3=2&P4=RwaJHzTwTJ9BDw2gGWPYwQnsS8amfmWYzYy2MGX3HsIkjZedMYOe6U%2bHVE9hZoKAzZZ6dZf8xXtXicG20tHcjA%3d%3d" referer="" error="" authtime="0" dnstime="419" aptptime="0" cattime="144" avscantime="0" fullreqtime="39963" device="0" auth="0" ua="Microsoft BITS/7.8" exceptions="av,sandbox,ssl,fileextension,size" category="105" reputation="trusted" categoryname="Business" country="United States" content-type="application/x-chrome-extension"
2022:07:15-11:04:58 amodin httpproxy[5613]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="172.18.0.98" dstip="72.21.81.200" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdaf9f100" url="http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b93a4287-ff09-40d2-a7fc-e1f80d4f1044?P1=1658432184&P2=404&P3=2&P4=RwaJHzTwTJ9BDw2gGWPYwQnsS8amfmWYzYy2MGX3HsIkjZedMYOe6U%2bHVE9hZoKAzZZ6dZf8xXtXicG20tHcjA%3d%3d" referer="" error="" authtime="0" dnstime="0" aptptime="0" cattime="151" avscantime="0" fullreqtime="38305" device="0" auth="0" ua="Microsoft BITS/7.8" exceptions="av,sandbox,ssl,fileextension,size" category="105" reputation="trusted" categoryname="Business" content-type="application/x-chrome-extension" reason="range"
2022:07:15-11:04:58 amodin httpproxy[5613]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="172.18.0.98" dstip="72.21.81.200" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdaf9f100" url="http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b93a4287-ff09-40d2-a7fc-e1f80d4f1044?P1=1658432184&P2=404&P3=2&P4=RwaJHzTwTJ9BDw2gGWPYwQnsS8amfmWYzYy2MGX3HsIkjZedMYOe6U%2bHVE9hZoKAzZZ6dZf8xXtXicG20tHcjA%3d%3d" referer="" error="" authtime="0" dnstime="448" aptptime="0" cattime="178" avscantime="0" fullreqtime="41235" device="0" auth="0" ua="Microsoft BITS/7.8" exceptions="av,sandbox,ssl,fileextension,size" category="105" reputation="trusted" categoryname="Business" country="United States" content-type="application/x-chrome-extension"



This thread was automatically locked due to age.
  • __________________________________________________________________________________________________________________

  • Honestly, sorry - I'd have to reply with 'That's BS'.  

    Why is this just today an issue, after running fine after all this time?

    Why would my UTM just decide after so long to just start screwing it up now?

    Oh, by the way:

    A screenshot from my UTM, showing the exact thing your old issue told me to do, which has been there since I reimaged my UTM. Content removal was checked already, I unchecked it trying to fix this problem. This is actually created when you install UTM, so I don't see why we are back at asking:  "Why is this STILL an issue?"

    And if it's been such a problem for all these versions - why not fix it?  Why drag this crap out over three versions of being the same issue?  Is this just another attempt to push XG on people so you don't have to fix UTM problems?

    Just EoL UTM already and get it over with if that's the case.

    I am so over boxing with this.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • You see the reason Range in your Log entry. Check the past logs if Windows Updates worked differently. Essentially this is not a change of UTM / Sophos, instead something happend in your setup or Windows changed the method to update. The Range blocking was in the product for quite a while. 

    And to fix this, would mean to give UTM a DPI engine like SFOS has. Which means years of development and new architecture, which the UTM is not capable of doing. As the httpproxy is simply a proxy within the system, you cannot "simply give it a DPI Engine". You would have to bring firewalling and other systems into the system to get to the point, where SFOS is right now - having a full scale DPI engine using TLS 1.3 on all ports. Because this is how you can deal with Range downloads. See: https://en.wikipedia.org/wiki/Byte_serving

    And you should adjust the Exception based on the KB. 

    __________________________________________________________________________________________________________________

  • I've asked this in another thread I started, and keep in mind I am a networking newb, however, would it not be better to use a DNS Group instead of Regex?  It is just a big pain in the buttox to manually create a host group for every address, but you would need less.  I know importing hosts en-bulk is in XG and sadly missing in UTM, but I think it would be easier to implement.

    If I'm way off let me know, as again I'm a newb that just may be rambling on and way off base. Slight smile

    (I do agree with the UTM comment about pushing for XG. Why re-invent the wheel when it can be modernized instead!)

  • There is no way to do that, Dave.  A DNS Group object has to have a single, complete FQDN like ctldl.windowsupdate.com.

    Amodin's problem would be resolved by skipping the Proxy for a DNS Group for msedge.b.tlu.dl.delivery.mp.microsoft.com.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Don't understand why using proxy skipping list at all?
    Suffered a lot with MS 365 dynamic DNS + IP Adresses for it's 500 services. Services that are using IP-Only-Endpoint connections will also not skipped by Proxy Skipping URL definitions...

    - using Transparent Mode Skiplist
    - create a MS Group (or 2 for IP / DNS)
    - add well knows MS IP- and DNS-Endpoints (as DNS Group -> you will get a lot of IP's reverse)
    - done

  • Looking at SFOS: https://support.sophos.com/support/s/article/KB-000043654?language=en_US

    It depends on how to interact with an exception. 

    You can create your Host object quite easily here: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122450/creating-xml-objects-with-notepad-for-mass-import

    Regex can work, but sometimes it cannot. It depends on how the app is written.  

    __________________________________________________________________________________________________________________