UTM vs ESET PROTECT

Hello, I have weird problem. I have new server with ESET PROTECT and I am trying to update users endpoint antivirus, but it is not working because firewall is blocking eset urls. I am using exception list for eset and when I try Policy Helpdesk it is working too. Have you any idea why firewall is blocking it? Thank you.

We are using Web Protection is Standard Mode with AD SSO:

ESET exception list: 

There is screen of firewall log:

and there is Policy helpdesk test which is good:



Added web protection mode.
[edited by: Jiri Skryja at 1:33 PM (GMT -7) on 10 Aug 2021]
  • Ahoj Jiri,

    What do you see in the Web Filtering log related to this?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Nothing. It does not appear in web filtering log. 

  • OK, I'll move this to the Network Protection forum.

    Please post a few lines from the Firewall log file relate to the above.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line(s) from the full Firewall log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello, okay. I really don't understand why it is using firewall and ignoring the web protection.

    There is log: 

    06:14:23 Default DROP TCP  
    192.168.1.12 : 52184
    38.90.226.62 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:24 Default DROP TCP  
    192.168.1.12 : 52183
    38.90.226.62 : 8883
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:28 Default DROP TCP  
    192.168.1.12 : 52184
    38.90.226.62 : 8883
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:32 Default DROP TCP  
    192.168.1.12 : 52187
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:35 Default DROP TCP  
    192.168.1.12 : 52187
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:41 Default DROP TCP  
    192.168.1.12 : 52187
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:53 Default DROP TCP  
    192.168.1.12 : 52192
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:56 Default DROP TCP  
    192.168.1.12 : 52192
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:02 Default DROP TCP  
    192.168.1.12 : 52192
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:08 Default DROP TCP  
    192.168.1.12 : 52200
    91.228.167.43 : 53535
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:10 Default DROP TCP  
    192.168.1.12 : 52200
    91.228.167.43 : 53535
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:14 Default DROP TCP  
    192.168.1.12 : 52208
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:17 Default DROP TCP  
    192.168.1.12 : 52200
    91.228.167.43 : 53535
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:17 Default DROP TCP  
    192.168.1.12 : 52208
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:20 Default DROP TCP  
    192.168.1.12 : 52210
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:23 Default DROP TCP  
    192.168.1.12 : 52210
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:23 Default DROP TCP  
    192.168.1.12 : 52208
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:28 Default DROP TCP  
    192.168.1.12 : 52210
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:28 Default DROP TCP  
    192.168.1.12 : 52213
    91.228.167.137 : 53535
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:31 Default DROP TCP  
    192.168.1.12 : 52221
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:32 Default DROP TCP  
    192.168.1.12 : 52222
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:32 Default DROP TCP  
    192.168.1.12 : 52223
    38.90.226.37 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:32 Default DROP TCP  
    192.168.1.12 : 52213
    91.228.167.137 : 53535
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:35 Default DROP TCP  
    192.168.1.12 : 52221
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:35 Default DROP TCP  
    192.168.1.12 : 52222
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:35 Default DROP TCP  
    192.168.1.12 : 52223
    38.90.226.37 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:36 Default DROP TCP  
    192.168.1.12 : 52225
    91.228.166.52 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:38 Default DROP TCP  
    192.168.1.12 : 52213
    91.228.167.137 : 53535
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:39 Default DROP TCP  
    192.168.1.12 : 52225
    91.228.166.52 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:41 Default DROP TCP  
    192.168.1.12 : 52221
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:41 Default DROP TCP  
    192.168.1.12 : 52222
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:41 Default DROP TCP  
    192.168.1.12 : 52223
    38.90.226.37 : 80
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:44 Default DROP TCP  
    192.168.1.12 : 52226
    91.228.165.146 : 443
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:44 Default DROP TCP  
    192.168.1.12 : 52225
    91.228.166.52 : 80
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:47 Default DROP TCP  
    192.168.1.12 : 52226
    91.228.165.146 : 443
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0

  • We had to add our eset server (ESMC/Eset Protect) to the Transparent Mode Skiplist (both Skip Transparent Mode Source Hosts/Nets and Skip Transparent Mode Destination Hosts/Nets)

    to get this working.

    Web protection --> Filtering Options --> Misc

  • Hoi Rob - I think you're right that that's what he did, but that he doesn't want to use 'Allow HTTP/S traffic for listed hosts/net'.

    Jiri, what happens if you make a firewall rule like '{192.1638.1.12} -> Web Surfing -> {repository.eset.com} : Allow'?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Firewall rule works, but I prefer to use proxy instead of eset. ESET has a lot of IPs.

  • I added to these groups but it allows a lot of trafic I would like to use proxy :/.

  • I would use firewall but when you look at hostnames on their webpage: https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall?locale=sk_SK&viewlocale=en_US, there is so many hostnames, this proxy seems easier.

  • Do you want to proxy the traffic to scan it or to cache it?