This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[9.205][Bug] "web request blocked" with "Invalid argument"

We updated our ASG220 three days ago to Version 9.205-12. We have an internal web server (IIS 7 on Windows Server 2008 R2) that can be accessed from outside:

DNAT: Any -> HTTP -> EXTERNAL-ADDRESS
      Target translation: INTERNAL-ADDRESS

SNAT: INTERNAL-ADDRESS -> Any -> Any
      Source translation: EXTERNAL-ADDRESS

This worked very well until the last update. After this update we can not access the site with its external address from inside, we get following Errors:

2014:08:13-16:51:09 fw-prokasro-2 httpproxy[5833]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.100.148" dstip="176.94.29.131" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2520" request="0x1074ea38" url="daten.prokasro.de/.../support" exceptions="" error="Invalid argument" authtime="0" dnstime="7" cattime="19332" avscantime="0" fullreqtime="55199227" device="0" auth="0" category="105" reputation="neutral" categoryname="Business"

and after configuring some exceptions for the domain daten.prokasro.de:

2014:08:14-08:45:18 fw-prokasro-2 httpproxy[5833]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.100.148" dstip="176.94.29.131" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2520" request="0x15ef3278" url="daten.prokasro.de/.../support" exceptions="av,auth,content,url,mime,cache,fileextension,size" error="Invalid argument" authtime="0" dnstime="10" cattime="0" avscantime="0" fullreqtime="2424" device="0" auth="0"

From outside we have no problems.

Greetings,

Dr. Andre Carlos Morales-Bahnik
ProKASRO Mechatronik GmbH

This thread was automatically locked due to age.

0 Mika-s over 10 years ago

Hello,

we have the same problem. All dmz-Servers(NATed) aren't working trough the webfilter. Has anybody a solution for this?
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 10 years ago in reply to Mika-s

No solution yet, but had a customer pop up with this today -- so we're starting a support case on their behalf (we're a reseller/solutions partner). It's most certainly a bug.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 10 years ago in reply to BrucekConvergent

Case created (for any Sophos Engineers that happen upon this thread and are curious):

#4647284

I'll let the rest of you guys know what I find out.  The telling part of this is found in a snippet of the http/s proxy log:

2014:08:20-10:56:41  httpproxy[6326]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="connect_server" file="dns.c" line="1149" message="loopback detected"

This happens before the "Invalid Argument" line every time.  Seems some new security feature, etc. is causing this.

BTW:  Not a NAT issue--in our internal use case, and the customer that reported the issue today, WAF is being used.  So not a WAF issue either based on you guys having issues with NAT ... so it's down to the HTTP/S Proxy.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 10 years ago in reply to BrucekConvergent

Alright, after a little back and forth with Support, they found that it was a confirmed bug, no ETA to fix.

The workaround (which we implemented at a customer site already before Support got involved) is to create firewall rules, and use split DNS (whether on the UTM or internal), to give internal users direct access to your web site(s) in the DMZ.

Given that this is brand new as far as an issue goes, I would not expect a quick fix. 9.206 is in the hopper, and it doesn't include a fix for this, so we're looking at 9.207 or later at this point.

If I hear anything else, I'll let you guys know.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mika-s over 10 years ago

ok thanks, that was our solution too. Hoping for the next releases...
Cancel
Vote Up 0 Vote Down

Cancel
0 ProKasro over 10 years ago in reply to BrucekConvergent

I have restarted our ASG220, but our HA seems to be not functional any more. Node 2 was master, i restarted this node, node 1 took over for 20 seconds, then node 1 restarted or crashed. After 5 minutes node 2 was available again and got again master. The original problem persisted after restart, and now we detected a new one.

Greetings

Dr. Andre Morales-Bahnik
ProKASRO Mechatronik GmbH
Cancel
Vote Up 0 Vote Down

Cancel
0 Mast_01 over 10 years ago

ah yes i have the same problem after 9.205 and Balfson pointed me to this thread, i had to use packet filter rules AND add the external URL to each machine proxy skiplist
Cancel
Vote Up 0 Vote Down

Cancel
0 mirzonisa over 10 years ago

Hi guys, I'm new one here, but i felt I need to share my experience about same matter with you. I have internal web site published on one of two external interfaces. I have been using PAC file and auto-configuration option in user's browser. In Web Protection>Filtering Option>Misc, i rewrote PAC file, so FQDN of my site is included in it, and all traffic is DIRECT, meaning users will not use proxy.
Explicitly: if (shExpMatch(url, "*FQDNofyourwebsite*")) return "DIRECT";
After that, Users from internal network access my web site without any problems. It worked for me, so maybe will work for someone else! [:D]
Best regards
Cancel
Vote Up 0 Vote Down

Cancel
0 AndrewYoo over 10 years ago

If you use proxy script, try to add this
if (shExpMatch(url, "*daten.prokasro.de/*"))
return "DIRECT";
Cancel
Vote Up 0 Vote Down

Cancel
0 hiddenbit over 10 years ago in reply to AndrewYoo

Any new informformation about this problem?

My clients get also blocked, while access the external domains which are hosted at the same UTM via WAF. I solved it quick'n'dirty with a web proxy exception for this domains and firewall rule for direct access.

Regards
-hidden
Cancel
Vote Up 0 Vote Down

Cancel