This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM vs ESET PROTECT

Hello, I have weird problem. I have new server with ESET PROTECT and I am trying to update users endpoint antivirus, but it is not working because firewall is blocking eset urls. I am using exception list for eset and when I try Policy Helpdesk it is working too. Have you any idea why firewall is blocking it? Thank you.

We are using Web Protection is Standard Mode with AD SSO:

ESET exception list: 

There is screen of firewall log:

and there is Policy helpdesk test which is good:



This thread was automatically locked due to age.
Parents
  • Ahoj Jiri,

    What do you see in the Web Filtering log related to this?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Nothing. It does not appear in web filtering log. 

  • OK, I'll move this to the Network Protection forum.

    Please post a few lines from the Firewall log file relate to the above.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line(s) from the full Firewall log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello, okay. I really don't understand why it is using firewall and ignoring the web protection.

    There is log: 

    06:14:23 Default DROP TCP  
    192.168.1.12 : 52184
    38.90.226.62 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:24 Default DROP TCP  
    192.168.1.12 : 52183
    38.90.226.62 : 8883
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:28 Default DROP TCP  
    192.168.1.12 : 52184
    38.90.226.62 : 8883
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:32 Default DROP TCP  
    192.168.1.12 : 52187
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:35 Default DROP TCP  
    192.168.1.12 : 52187
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:41 Default DROP TCP  
    192.168.1.12 : 52187
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:53 Default DROP TCP  
    192.168.1.12 : 52192
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:14:56 Default DROP TCP  
    192.168.1.12 : 52192
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:02 Default DROP TCP  
    192.168.1.12 : 52192
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:08 Default DROP TCP  
    192.168.1.12 : 52200
    91.228.167.43 : 53535
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:10 Default DROP TCP  
    192.168.1.12 : 52200
    91.228.167.43 : 53535
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:14 Default DROP TCP  
    192.168.1.12 : 52208
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:17 Default DROP TCP  
    192.168.1.12 : 52200
    91.228.167.43 : 53535
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:17 Default DROP TCP  
    192.168.1.12 : 52208
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:20 Default DROP TCP  
    192.168.1.12 : 52210
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:23 Default DROP TCP  
    192.168.1.12 : 52210
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:23 Default DROP TCP  
    192.168.1.12 : 52208
    38.90.226.12 : 80
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:28 Default DROP TCP  
    192.168.1.12 : 52210
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:28 Default DROP TCP  
    192.168.1.12 : 52213
    91.228.167.137 : 53535
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:31 Default DROP TCP  
    192.168.1.12 : 52221
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:32 Default DROP TCP  
    192.168.1.12 : 52222
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:32 Default DROP TCP  
    192.168.1.12 : 52223
    38.90.226.37 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:32 Default DROP TCP  
    192.168.1.12 : 52213
    91.228.167.137 : 53535
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:35 Default DROP TCP  
    192.168.1.12 : 52221
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:35 Default DROP TCP  
    192.168.1.12 : 52222
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:35 Default DROP TCP  
    192.168.1.12 : 52223
    38.90.226.37 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:36 Default DROP TCP  
    192.168.1.12 : 52225
    91.228.166.52 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:38 Default DROP TCP  
    192.168.1.12 : 52213
    91.228.167.137 : 53535
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:39 Default DROP TCP  
    192.168.1.12 : 52225
    91.228.166.52 : 80
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:41 Default DROP TCP  
    192.168.1.12 : 52221
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:41 Default DROP TCP  
    192.168.1.12 : 52222
    91.228.165.146 : 8883
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:41 Default DROP TCP  
    192.168.1.12 : 52223
    38.90.226.37 : 80
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:44 Default DROP TCP  
    192.168.1.12 : 52226
    91.228.165.146 : 443
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:44 Default DROP TCP  
    192.168.1.12 : 52225
    91.228.166.52 : 80
     
    [SYN] len=52 ttl=127 tos=0x00 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0
    06:15:47 Default DROP TCP  
    192.168.1.12 : 52226
    91.228.165.146 : 443
     
    [SYN] len=52 ttl=127 tos=0x02 srcmac=02:94:45:05:31:b3 dstmac=00:1a:8c:f0:a1:c0

  • We had to add our eset server (ESMC/Eset Protect) to the Transparent Mode Skiplist (both Skip Transparent Mode Source Hosts/Nets and Skip Transparent Mode Destination Hosts/Nets)

    to get this working.

    Web protection --> Filtering Options --> Misc

  • Hoi Rob - I think you're right that that's what he did, but that he doesn't want to use 'Allow HTTP/S traffic for listed hosts/net'.

    Jiri, what happens if you make a firewall rule like '{192.1638.1.12} -> Web Surfing -> {repository.eset.com} : Allow'?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Firewall rule works, but I prefer to use proxy instead of eset. ESET has a lot of IPs.

  • I added to these groups but it allows a lot of trafic I would like to use proxy :/.

  • Do you want to proxy the traffic to scan it or to cache it?

  • My point is that I want Server 192.168.1.12 can reach only eset websites. But when I put it in Skip Transparent Mode Source Hosts/Nets and Skip Transparent Mode Destination Hosts/Nets i can reach a lot more than ESET hostnames.

  • Jiri, you will have to create either a firewall rule with the FQDNs supplied or a Web Filtering Exception that skips everything.  Even then, you may find some that require skipping and an Exception.

    I'll move this back to the Web Protection forum if you solve this with Web Protection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Jiri, you will have to create either a firewall rule with the FQDNs supplied or a Web Filtering Exception that skips everything.  Even then, you may find some that require skipping and an Exception.

    I'll move this back to the Web Protection forum if you solve this with Web Protection.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children