This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any-Any-Any still dropping packets UTM 9.501-5

I'm completely mystified. User complains about the login component of this page 

https://www.ticketmaster.ca/member?tm_link=tm_homeA_header_my_account

will not load. Switching networks (e.g. to wireless that does not pass through the UTM) loads fine.

The firewall log shows what is pasted below. I know that 60002 means some kind of outgoing rule is missing, (probably same for that 60003 rule) but even adding an ANY>ANY>ANY rule doesn't eliminate that. Looking through past posts for awhile and disabling pretty much every security feature these is, still, no login box. 

I'm very rusty with this and I'm looking for some help as to what my next step should be here. I just want this website to load, and I suspect that other sites are also affected by this. 

Appreciate any help!

2018:06:17-08:33:41 remote ulogd[4541]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" srcmac="00:01:5c:9b:b6:46" dstmac="00:1a:8c:42:69:55" srcip="185.208.208.77" dstip="174.2.181.145" proto="6" length="40" tos="0x00" prec="0x00" ttl="240" srcport="57934" dstport="35027" tcpflags="SYN" 

2018:06:17-08:34:43 remote ulogd[4541]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth1" outitf="eth1" srcmac="00:01:5c:9b:b6:46" dstmac="00:1a:8c:42:69:55" srcip="5.141.82.192" dstip="174.2.181.145" proto="6" length="40" tos="0x00" prec="0x00" ttl="52" srcport="61155" dstport="2323" tcpflags="SYN" 

2018:06:17-08:46:17 remote ulogd[4541]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth1" srcmac="00:1a:8c:42:69:55" srcip="184.11.11.178" dstip="218.102.239.14" proto="1" length="68" tos="0x00" prec="0xc0" ttl="64" type="11" code="0" 



This thread was automatically locked due to age.
Parents
  • Hi Jee - first post - welcome to the UTM Community!

    As suggested, check Intrusion Prevention for the real problem (see #1 in Rulz).  In this case, you also should consult the Web Filtering log file.

    None of those log lines appears to have anything to do with ticketmaster.ca.  To better understand what you're seeing in the Firewall log file, check out Packetfilter logfiles on the Sophos UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I appreciate you getting back to me and sorry so long for the reply. I turned IPS off, on the other tabs I unchecked all attack patterns, unchecked Use TCP SYN Flood Protection, Use UDP Flood Protection, and Use ICMP Flood Protection (all 3 unchecked), Portscan Detection is OFF. Nothing in Exceptions or Advanced... but that does not seem to help. I'm also confused since you said none of those log lines has anything to do with ticketmaster.ca

     

    The firewall shows a lot of default drops but they do not seem to line up with the Ticketmaster.ca IP address...so...I'm stumped.

    I am wondering if I am mistaken blaming the UTM 9 box? I can try connecting to this website from any other network on the same computer, same browser and it loads fine. but from behind the firewall I get an endless loading screen. I'll dig through the log files again. I know I am missing something obvious. For now, in case it causes any 'ah-ha!' moments from helpful members of the forum I am posting a 20 second video of the problem below, and then what it looks like when it works (tonight that happens to be from a different computer as I'm not at the problem location to do a perfect demo video...) any idea where I should look for this if the log file does not reflect this issue?

    https://vimeo.com/277577559

     

Reply
  • I appreciate you getting back to me and sorry so long for the reply. I turned IPS off, on the other tabs I unchecked all attack patterns, unchecked Use TCP SYN Flood Protection, Use UDP Flood Protection, and Use ICMP Flood Protection (all 3 unchecked), Portscan Detection is OFF. Nothing in Exceptions or Advanced... but that does not seem to help. I'm also confused since you said none of those log lines has anything to do with ticketmaster.ca

     

    The firewall shows a lot of default drops but they do not seem to line up with the Ticketmaster.ca IP address...so...I'm stumped.

    I am wondering if I am mistaken blaming the UTM 9 box? I can try connecting to this website from any other network on the same computer, same browser and it loads fine. but from behind the firewall I get an endless loading screen. I'll dig through the log files again. I know I am missing something obvious. For now, in case it causes any 'ah-ha!' moments from helpful members of the forum I am posting a 20 second video of the problem below, and then what it looks like when it works (tonight that happens to be from a different computer as I'm not at the problem location to do a perfect demo video...) any idea where I should look for this if the log file does not reflect this issue?

    https://vimeo.com/277577559

     

Children
No Data