German Forum One site a) Sophos UTM, other site b) Sophos XG - How can I get rid of the blocking

UTM Firewall requires membership for participation - click to join

Thread Info

State Suggested Answer
Locked Locked
Replies 3 replies
Answers 1 answer
Subscribers 4 subscribers
Views 2113 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

One site a) Sophos UTM, other site b) Sophos XG - How can I get rid of the blocking

Oliver Privat over 1 year ago

Hi all,

Since days we have the following entries in the Advanced Thread Protection

One physical site a) Sophos UTM, other physical site b) Sophos XG

Assumed it is an Advanced Persitance Thread, how we can get rid of it?

KR
Olli

This thread was automatically locked due to age.

Parents

0 Raphael Alganes over 1 year ago

Hello Olli

If an end machine behind Sophos Firewall generates traffic on that malicious domain then an alert may be triggered by ATP. If UTM is not set as the DNS on the end machine, you might be able to see the actual source IP instead of the Public DNS (Google DNS) - as per the screenshot above

A tcpdump on port53 (DNS) might also give insight of the actual source on the network: https://support.sophos.com/support/s/article/KB-000038909?language=en_US

Then, if you have the source end machine verified on your network you may run a full/deep-scan and set a cleanup with your AV.

Hope this helps. Have a nice day and thank you for choosing Sophos.

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Raphael Alganes over 1 year ago

Hello Olli

If an end machine behind Sophos Firewall generates traffic on that malicious domain then an alert may be triggered by ATP. If UTM is not set as the DNS on the end machine, you might be able to see the actual source IP instead of the Public DNS (Google DNS) - as per the screenshot above

A tcpdump on port53 (DNS) might also give insight of the actual source on the network: https://support.sophos.com/support/s/article/KB-000038909?language=en_US

Then, if you have the source end machine verified on your network you may run a full/deep-scan and set a cleanup with your AV.

Hope this helps. Have a nice day and thank you for choosing Sophos.

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Oliver Privat over 1 year ago in reply to Raphael Alganes

Hello Raphael, hello all,

thank you very much for you answer.

We try to find the host which is trying to connect sporadic to the IP 107.6.74.76

Is this tcpdump command right or wrong:

tcpdump -nei any port 80,443 dst 107.6.74.76 -n -s0 -w /var/sec/chroot-httpd/var/webadmin/tcpdump.pcap

Any suggestions for a nmap, tcpdump CLI-command -or any other methods- to find a host which is trying to connect
-sporadic, that mean every 5,8,10 hours, days-
to the IP 107.6.74.76 ?
???

KR

Olli
Cancel
Vote Up 0 Vote Down

Cancel
0 Raphael Alganes over 1 year ago in reply to Oliver Privat

Hello Olli,

Good day and thanks for your response.

Are you using UTM as DNS server for your end machine/s? If yes, you could try to use other DNS settings aside from the UTM then you should be able to see the actual source IP instead of the Public DNS (Google DNS) on the ATP section.

Cheers,

Raphael Alganes
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel