This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Website sporadically being detected as forbidden application

Hey guys, 

 

We have an odd issue, where the aat website is being sporadically detected as a HOTSPOT app which we have blocked on our network. There seems to be no regular pattern to this, it just occasionally happens and stays this way for an hour or two, then normal access to the website is resumed. 

The website has an exception on the proxy to allow it through - But i can't understand how / why the UTM is picking it up as an Application? Has anyone got any advice / ideas? I've attached a line from the weblog so you can see. 

 

2018:02:06-11:32:58 sophos httpproxy[9499]: id="0066" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden application detected" action="block" method="GET" srcip="*****" dstip="13.32.67.182" user="****" group="Staff Mail- all active staff accounts" ad_domain="***" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffStaffDefauPolic (Staff Default policy)" size="3186" request="0x8a0a0400" url="https://www.aat.org.uk/login" referer="https://www.google.co.uk/" error="" authtime="37" dnstime="36170" cattime="0" avscantime="0" fullreqtime="36917" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36" exceptions="url" overridecategory="1" overridereputation="1" application="HOTSPTSH" app-id="1074"



This thread was automatically locked due to age.
Parents
  • Almost a year later, but I have an answer for you Chris.  This is an Application Control block reported in the Web Filtering log.

    # cat /etc/afc/applications|grep '^1074,'
         1074,VPN and Tunneling,Hotspot Shield

    Look in AppCtrl for where this is blocked and insert an allow rule above that rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Almost a year later, but I have an answer for you Chris.  This is an Application Control block reported in the Web Filtering log.

    # cat /etc/afc/applications|grep '^1074,'
         1074,VPN and Tunneling,Hotspot Shield

    Look in AppCtrl for where this is blocked and insert an allow rule above that rule.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data