Some applications need to perform SFTP connections to Internet. Their setup was working fine on-prem but now migrated to AWS they don't.
In AWS we have UTM 9 with Web-Filtering as a proxy and connections are not passing through.Instances in AWS use the UTM IP address and port 8080 as proxy settings in order to reach Internet. And the applications have the proxy setup too.
Application tries to SFTP 100.X.X.X using port 2222 but times out.This is seen on the Live Log on WebFiltering...
2021:05:06-14:45:07 MYFIREWALL httpproxy: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.10.10.19" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xa9f2e00" url="">https://100.X.X.X:2222/" referer="" error="Target service not allowed" authtime="0" dnstime="0" aptptime="0" cattime="0" avscantime="0" fullreqtime="1281" device="0" auth="0" ua="" exceptions=""
Comes to my attention that the UTM sees url = https on port 2222 when it was an SFTP connection. Can somebody comment on this?
To fix this I tried to setup a Generic Proxy rule [Web Protection>Avanced] but had same issue, same logs.
This is how the Rule looks like:
Interface: Internal (This is the only interface the UTM has)
service definition: tcp-2222
Allowed networks 10.0.0.0
Thanks for your time and support!
sorry for the hyperlink, i'll be cautious next time. Don't know how to edit it.
¡Hola! Mauricio and welcome to the UTM Community!
When this was on-prem, was Web Filtering in Standard mode with 2222 added to 'Allowed Target Services' on the 'Misc' tab? Is the browser using the Proxy explicitly?
Cheers - Bob
At Web Protection>Filtering Options>Misc, a service definition for TCP 20222 was created and added to the Allowed Target Services list. (suggested on https://community.sophos.com/utm-firewall/f/hardware-installation-up2date-licensing/98392/target-service-not-allowed )
After testing the SFTP connection from the server...There is no timeout this time now it sees an Algorithm negotiation Failed. This might mean that the remote destination was reached but didn't like something on the cipher suite.I looked into the WebFiltering logs.
Where do you see Algorithm negotiation Failed, Mauricio?
Hi, On-prem we were not using Sophos, just the servers were moved to AWS and dealed with the Sophos that was put here.
This is the error message seen in the server after attempting the connection.Later I had to setup another service definition for SSH, using same method described before and this connection succeed. Another evidence that access was allowed fine.
If the error in the server was at the same time as the request was sent by the UTM Web Proxy, 10:00:06, I would conclude that the server doesn't "like" the Proxy. You would want to skip the Proxy for that server.
Hi At this point the App team is checking. I will revert. Thanks