Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 10135 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTP request allow by Transparent Proxy, but answer gets blocked by firewall

Jas Man

Hi folks,


I noticed that some pages are very slow since the upgrade to UTM 9.352-6. Don't know if this has to do with the upgrade.
But today I also noticed many blocked packets from external hosts in the overview tab of "Network Protection". I did some investigation and found out, that these blocked packets are answers to HTTP request, which are processed by the transparent WebProxy. One of the blocked hosts is https-178-79-242-217.­fra.­llnw.­net, which is used by "Sophos Mobile Security" on my mobile phone.

I can see the HTTP requests from "Sophos Mobile Security" in the web proxy log, which are not blocked:

2016:01:10-12:33:02 jasnet httpproxy[3184]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.20" dstip="178.79.242.217" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffJasneWebfiActio (Default)" size="225" request="0xdf687800" url="d1.sophosupd.com/.../sdds.smsec_version.xml" referer="" error="" authtime="0" dnstime="1" cattime="29699" avscantime="2694" fullreqtime="1034871" device="0" auth="0" ua="Dalvik/2.1.0 (Linux; U; Android 5.1.1; xxxxx)" exceptions="" category="105" reputation="trusted" categoryname="Business" application="sophupda" app-id="794" content-type="text/xml"

And I also can see the HTTP answer from 178.79.242.217 in the firewall log, which is blocked (becaue he don't know this connection):

12:33:03     Default DROP     TCP           
178.79.242.217     :     80
    →     
192.168.10.20     :     47123
          
[RST]     len=40     ttl=64     tos=0x00     srcmac=xxx


This happend also to some other sites/Servers and clients. I think this is not a normal behaviour, and could be responsible for the slow websites.
Has anyone the same problem? What should I do?

Thank you!

Jas



This thread was automatically locked due to age.
  • 0
    "RST" as flag is not a "real" Response, It's a reset request for that TCP stream - and mostly These reset requests are received a Long time after the Firewall thought Communication is finished.
    so Therefore you will find many RST packets in Firewall logfile - so this entry might not neccessarily Point out your issue
  • 0
    Hi Jas Man,

    RST packets are meant to reinitiate the TCP stream/communication between your Client and webserver.
    You will see many RST log entries in fw log (as far as I know) due These RST packets are sent way after the Firewall expected the traffic to be ended.

    For your issue regarding slow browsing it might be that this is not the corresponding issue / log entry for this behaivour
  • 0 in reply to DarkKnight93
    Thank you for your answer, DarkKnight93.

    I didn't realized that all the dropped packets are RST packets. Also I didn't realized that they are all send to my Android mobile phone. No other clients get those blocked RST packets.

    I don't think that the packets are for connections which the UTM / proxy has already closed. Because the packets from the Sophos Update server appear in the firewall log as soon as I click on "Update" in the "Sophos Mobile Security" app on my mobile phone.

    A friend of mine visited me yesterday and connected his mobile phone to my WiFi. Today I saw that his mobile phone gets also a lot of blocked RST packets. He hasn't the "Sophos Mobile Security" app, but he has also a Android mobile phone with Cyanogen custom ROM. Maybe this is the problem.
Unfiltered HTML