Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 5 subscribers
  • Views 2305 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 akamai

xxxxxx

I have eu1.concursolutions.com  in a webfiltering whitelist and  a wget  to it  works fine

2022:02:18-11:08:50 utm httpproxy[8987]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="x.x.x.x." dstip="104.103.204.76" user="" group="" ad_domain="" statuscode="301" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffWhitelist (Whitelist)" size="0" request="0xdbbeca00" url="http://eu1.concursolutions.com/" referer="" error="" authtime="0" dnstime="187" aptptime="0" cattime="13174" avscantime="0" fullreqtime="25708" device="0" auth="0" ua="Wget/1.20.3 (linux-gnu)" exceptions="" overridereputation="1" category="105" reputation="trusted" categoryname="Business"

My SAP team are calling eu1.concursolutions.com from within SAP PI ,  that runs on the same server I run wget from

2022:02:18-10:59:45 utm httpproxy[8987]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="x.x.x.x" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffWhitelist (Whitelist)" size="3182" request="0xa732000" url="2.19.154.55/" referer="" error="" authtime="0" dnstime="0" aptptime="0" cattime="81" avscantime="0" fullreqtime="213448" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" reason="category"

but via  SAP PI  2.19.154.55  is seen in the log rather than eu1.concursolutions.com, and dstip=""  ( I'm not sure why and yes sap uses the fqdn)

>nslookup eu1.concursolutions.com

Non-authoritative answer:
Name: e7868.b.akamaiedge.net
Address: 2.19.154.55
Aliases: eu1.concursolutions.com
global-wc.concursolutions.com.edgekey.net

The eu1.concursolutions.com ip may change , so other than putting all the akamai ips in the whitelist is there another way to deal with this ?  TIA

https://blogs.sap.com/2019/06/10/how-akamai-works-in-sap-cloud-for-customers/



This thread was automatically locked due to age.
Parents
  • 0

    Add a web filtering exception for akamaiedge.net

    It's always tempting to block the akamai stuff, but it's such a large hosting that major players and solutions use it to host.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Many thanks for your answer.

    If the webfiltering log is showing the ip for an akamai  server , would the exception have to include the ip ranges of akamai?

  • 0 in reply to xxxxxx

    No just the DNS name, the UTM will resolve the IPs like it does the NTP pool.  You will have to add it as a DNS Group rather than a single one.  As an example, zoom.us is in my UTM has a DNS Group, and has 22 IPs:

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to xxxxxx

    Within your log you can see url="">https://2.19.154.55/" ...
    Once again, one of those great programmers managed to use the IP address instead of the FQDN within the call.
    You probably won't even get a valid certificate for this IP.
    The current certificate is issued to "https://*.concursolutions.com" which does not match "">https://2.19.154.55".
    Sophos SG does a great job blocking these request ...

    ... but you may create the exception for Host with IP "2.19.154.55"

    PS: your try to access "">eu1.concursolutions.com/"  hit IP dstip="104.103.204.76" ... which is a completely different IP as used by the App (2.19.154.55).


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 0 in reply to xxxxxx

    Within your log you can see url="">https://2.19.154.55/" ...
    Once again, one of those great programmers managed to use the IP address instead of the FQDN within the call.
    You probably won't even get a valid certificate for this IP.
    The current certificate is issued to "https://*.concursolutions.com" which does not match "">https://2.19.154.55".
    Sophos SG does a great job blocking these request ...

    ... but you may create the exception for Host with IP "2.19.154.55"

    PS: your try to access "">eu1.concursolutions.com/"  hit IP dstip="104.103.204.76" ... which is a completely different IP as used by the App (2.19.154.55).


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
  • 0 in reply to dirkkotte

    Thanks you for your input ,  what I don't understand  is,  if I send the same  traffic to a simple squid proxy server with  eu1.concursolutions.com  whistelisted,  everything works fine.  I do not have to  specify any ip's in the white list,   e.g. akamai or others.

  • 0 in reply to xxxxxx

    Yes, please compare ...

    If You call the page/site/URL you use the name of the server url="http://eu1.concursolutions.com/"  like within your first log

    2022:02:18-11:08:50 utm httpproxy[8987]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="x.x.x.x." dstip="104.103.204.76" user="" group="" ad_domain="" statuscode="301" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffWhitelist (Whitelist)" size="0" request="0xdbbeca00" url="http://eu1.concursolutions.com/" referer="" error="" authtime="0" dnstime="187" aptptime="0" cattime="13174" avscantime="0" fullreqtime="25708" device="0" auth="0" ua="Wget/1.20.3 (linux-gnu)" exceptions="" overridereputation="1" category="105" reputation="trusted" categoryname="Business"

    while the App call url="">https://2.19.154.55/"

    2022:02:18-10:59:45 utm httpproxy[8987]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="x.x.x.x" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffWhitelist (Whitelist)" size="3182" request="0xa732000" url="">https://2.19.154.55/" referer="" error="" authtime="0" dnstime="0" aptptime="0" cattime="81" avscantime="0" fullreqtime="213448" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" reason="category"


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi Dirk; The app  always calls  "http://eu1.concursolutions.com/  ..

    If I set the app proxy server setting to use the  squid proxy server  , which has whitelist  eu1.concursolutions.com, the app works,

    If I remove the proxy server setting on the same app,  it  routes out via the SOPHOS  UTM .  The ip's of eu1.concursolutions.com appear in the web filtering logs.   I  have to whitelist the ip's of   eu1.concursolutions.com on the UTM  and can't get away with just whitelisting eu1.concursolutions.com , like I do on the squid proxy 

    Really appreciating your help Dirk

  • 0 in reply to xxxxxx

    ... and if you configure the UTM as Proxy within the app?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    I'm about to look a trying that. Need to work out the  port.

    FYI The Webfiltering -> GLOBAL setting -> is transparent mode  , and I thought using a proxy setting is not relevant is this mode.

  • 0 in reply to xxxxxx

    the standard mode is still active in the background
    the port can be found somewhere in the settings


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Unfiltered HTML