I'm on version 9.705-3, and since sometime in May, the log files for Web Filtering have grown from 500MB daily to 2+ GBs daily. The logs are flooded with the below entry:
2021:06:28-10:26:55 FirewallName httpproxy: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd899a000" function="adir_auth_process_ntlm" file="auth_adir.c" line="1531" message="lm response security buffer outside packet or response to long"
Any ideas on what this log entry is and what is causing it?
Hi Jake, Thanks for reaching out to Sophos Community.This isn’t actually an "error" and is more of a notification about the NTLM handshake. Which operation mode you're using the web filter with and Is there any authentication configured within the policy or in the base policy?
Hey DeveshM, thanks for the quick reply!
The web filter operation mode is "Standard mode". Below that the default authentication is set to "Active Directory SSO". We swapped one of our domain controllers in February, not sure if that could be the issue as we didn't see the increased log size until May.
Hi Jake and welcome to the UTM Community!
In your browsers' Proxy settings, be sure to use an FQDN that resolves to the IP of the AD server instead of the IP itself. If you use the IP, authentication is done via NTLM. With an FQDN, Kerberos is used. Fixing that should get things under control. Let us know if that was it.
Cheers - Bob
You mentioned having the FQDN of our AD server in the proxy settings, but our Sophos UTM acts as our proxy. We have the FQDN of the UTM in the proxy settings. Is there another setting that needs to be change somewhere, or maybe I'm misunderstanding something.
Thanks for the input!
Still having an issue with this, any insight would be greatly appreciated. Thanks!
My bad, Jake! I wrote "AD server" instead of the UTM.
I meant the Proxy Settings in the browser in the PC you're using should use an FQDN to reach the UTM as a Proxy, nothing in the UTM needed to change.
Any better luck with that?