Dear all,
we found a bug on App Control with TeamViewer. It is possible to get a TV session established if you have App Control active and blocking of TV.
Test was made on:
SG230
FW 9.404-5
On older Version it was running well.
Pls. explain what are new stepps.
wrbrgda
R.
Hi,
Is TeamViewer blocked on PC? Take SSH to UTM and capture afc.log while running the application on the TV.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Hi,
no it's not blocked ob PC.
I checked it right now an had a look at afc.log but there is nothing in there about the opening session of teamviewer an conneting from outsite.
loginuser@xyz:/var/log > cat afc.log
2016:07:05-05:15:32 xyz afcd[31433]: vy_plugin: N: finalizing vineyard thread
2016:07:05-05:15:32 xyz afcd[31433]: STATUS: alert_lvl="GREEN" run_time=64760 num_cts=0 pktps_avg=0.00 pktps_avg_max=60.42 skipped_pktps_avg=0.00 skipped_pktps_avg_max=1.40 connps_avg=0.00 connps_avg_max=28.37 rusage_sys=10.816 rusage_usr=6.640
2016:07:05-05:15:32 xyz afcd[31433]: CFFS (nfmark 00000303): 3924 packets, 6 connections
2016:07:05-05:15:32 xyz afcd[31433]: DNS (nfmark 0000007c): 77168 packets, 38470 connections
2016:07:05-05:15:32 xyz afcd[31433]: GMAIL (nfmark 000000ad): 142 packets, 42 connections
2016:07:05-05:15:32 xyz afcd[31433]: IMAP (nfmark 000000e2): 23 packets, 23 connections
2016:07:05-05:15:32 xyz afcd[31433]: LDAP (nfmark 00000109): 72 packets, 72 connections
2016:07:05-05:15:32 xyz afcd[31433]: LYNC (nfmark 00000414): 2 packets, 2 connections
2016:07:05-05:15:32 xyz afcd[31433]: OPENVPN (nfmark 0000016a): 77 packets, 4 connections
2016:07:05-05:15:32 xyz afcd[31433]: OUTLOOK (nfmark 00000486): 244 packets, 80 connections
2016:07:05-05:15:32 xyz afcd[31433]: RDP (nfmark 00000191): 9 packets, 9 connections
2016:07:05-05:15:32 xyz afcd[31433]: SKYPE (nfmark 000001c0): 12 packets, 4 connections
2016:07:05-05:15:32 xyz afcd[31433]: SMTP (nfmark 000001ca): 16 packets, 16 connections
2016:07:05-05:15:32 xyz afcd[31433]: SSL (nfmark 000001d9): 932 packets, 234 connections
2016:07:05-05:15:32 xyz afcd[31433]: packets: 87479 (85686 inspected, 473 skipped)
2016:07:05-05:15:32 xyz afcd[31433]: connections: 39441 (38962 classified)
2016:07:05-05:15:32 xyz afcd[1523]: _afc_cfg_file_plugin_parse: 1387 protocols registered
2016:07:05-05:15:32 xyz afcd[1523]: vy_plugin: N: aptp: threaddata loaded from /var/chroot-afc/etc/aptpdata
2016:07:05-05:15:32 xyz afcd[1523]: loaded plugin '/var/sec/chroot-afc/lib/afc/vineyard.so'
2016:07:05-05:15:32 xyz afcd[1523]: _afc_cfg_file_plugin_parse: 1387 protocols registered
2016:07:05-05:15:32 xyz afcd[1552]: AFC ready.
2016:07:05-08:43:54 xyz afcd[1552]: WARNING! packet already has AFC mark value (0x0000126d), replacing with 0x00001000
2016:07:05-11:54:44 xyz afcd[1552]: WARNING! packet already has AFC mark value (0x0000126d), replacing with 0x00001000
Hi,
no it's not blocked ob PC.
I checked it right now an had a look at afc.log but there is nothing in there about the opening session of teamviewer an conneting from outsite.
loginuser@xyz:/var/log > cat afc.log
2016:07:05-05:15:32 xyz afcd[31433]: vy_plugin: N: finalizing vineyard thread
2016:07:05-05:15:32 xyz afcd[31433]: STATUS: alert_lvl="GREEN" run_time=64760 num_cts=0 pktps_avg=0.00 pktps_avg_max=60.42 skipped_pktps_avg=0.00 skipped_pktps_avg_max=1.40 connps_avg=0.00 connps_avg_max=28.37 rusage_sys=10.816 rusage_usr=6.640
2016:07:05-05:15:32 xyz afcd[31433]: CFFS (nfmark 00000303): 3924 packets, 6 connections
2016:07:05-05:15:32 xyz afcd[31433]: DNS (nfmark 0000007c): 77168 packets, 38470 connections
2016:07:05-05:15:32 xyz afcd[31433]: GMAIL (nfmark 000000ad): 142 packets, 42 connections
2016:07:05-05:15:32 xyz afcd[31433]: IMAP (nfmark 000000e2): 23 packets, 23 connections
2016:07:05-05:15:32 xyz afcd[31433]: LDAP (nfmark 00000109): 72 packets, 72 connections
2016:07:05-05:15:32 xyz afcd[31433]: LYNC (nfmark 00000414): 2 packets, 2 connections
2016:07:05-05:15:32 xyz afcd[31433]: OPENVPN (nfmark 0000016a): 77 packets, 4 connections
2016:07:05-05:15:32 xyz afcd[31433]: OUTLOOK (nfmark 00000486): 244 packets, 80 connections
2016:07:05-05:15:32 xyz afcd[31433]: RDP (nfmark 00000191): 9 packets, 9 connections
2016:07:05-05:15:32 xyz afcd[31433]: SKYPE (nfmark 000001c0): 12 packets, 4 connections
2016:07:05-05:15:32 xyz afcd[31433]: SMTP (nfmark 000001ca): 16 packets, 16 connections
2016:07:05-05:15:32 xyz afcd[31433]: SSL (nfmark 000001d9): 932 packets, 234 connections
2016:07:05-05:15:32 xyz afcd[31433]: packets: 87479 (85686 inspected, 473 skipped)
2016:07:05-05:15:32 xyz afcd[31433]: connections: 39441 (38962 classified)
2016:07:05-05:15:32 xyz afcd[1523]: _afc_cfg_file_plugin_parse: 1387 protocols registered
2016:07:05-05:15:32 xyz afcd[1523]: vy_plugin: N: aptp: threaddata loaded from /var/chroot-afc/etc/aptpdata
2016:07:05-05:15:32 xyz afcd[1523]: loaded plugin '/var/sec/chroot-afc/lib/afc/vineyard.so'
2016:07:05-05:15:32 xyz afcd[1523]: _afc_cfg_file_plugin_parse: 1387 protocols registered
2016:07:05-05:15:32 xyz afcd[1552]: AFC ready.
2016:07:05-08:43:54 xyz afcd[1552]: WARNING! packet already has AFC mark value (0x0000126d), replacing with 0x00001000
2016:07:05-11:54:44 xyz afcd[1552]: WARNING! packet already has AFC mark value (0x0000126d), replacing with 0x00001000
Hi,
Team Viewer is blocked successfully via UTM through Application control. Please find the attached logs.
2016:07:07-19:08:00 sophos_community httpproxy[5631]: id="0066" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden application detected" action="block" method="GET" srcip="192.168.0.4" dstip="37.252.227.51" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo (Checkpoint)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3329" request="0x17313000" url="ping3.teamviewer.com/din.aspxs=00000000&id=652413760&client=DynGate&p=10000001" referer="" error="" authtime="0" dnstime="6" cattime="251" avscantime="0" fullreqtime="1098" device="0" auth="0" ua="Mozilla/4.0 (compatible; MSIE 6.0; DynGate)" exceptions="" category="142" reputation="neutral" categoryname="Remote Access" application="TEAMVIEW" app-id="584"
Please check the configurations on UTM.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Salue,
i checked this morning again the logs. Nothing application log but on Firwall logs I found this:
| 08:38:54 | Standard-VERWERFEN | TCP |
|
→ |
|
|
| 08:38:56 | Standard-VERWERFEN | TCP |
|
→ |
|
|
When I start TV than I have a red light and empty "User ID" and "Password" field. After some Seconds I have a green Light and filled "User ID" & "Password" Field.
So the qestion is:
I checked this mornig all other Settings in FW but can't find anything whats happend.
Any Idear?
Thanks a lot. RH
