Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 12538 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Applcation Control seems not to filter or block anything

AxelWeidner

We have defined a bunch of about 50 Application Control rules, all of which are blocking rules and all of them have logging enabled. Most of these rules are intended to block traffic from Advertisement networks, file sharing hosters and other suspicious or useless applications. The rules have been set active.
I would expect to see one of these rules triggered in the Live Protocol when invoking a website which contains links to one of the blocked Advertisement networks. We also habe blocked a protocol/application called mck-ipvip.


When starting flow monitor on the external interface of the UTM9 System I would expect that this traffic is effectively blocked. But instead I see traffic that should be blocked by Application Control ist still being passed through to the external interface and these Applications are still sending quite signifcant amounts of web traffic.

Is there anything significant that I may have missed in configuring Application Control?

Kind Regards,

Axel





This thread was automatically locked due to age.
  • 0

    Hi Axel,

    Place the application control to block mck-ipvip on the top. Verify there is no exception rule defined to bypass this traffic. Also, check that the pattern version is up2date.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    I think I am experiencing the same issue. Blocked are services like SoundCloud, Facebook, Webradio.

    When you want to enter eg. the Soundcloud website, it is blocked, but same as AxelWeidner says, packets are still transferred. Patterns seem to be up2date (105341, is there a way to check the pattern version externally?)

    what is mck-ivpip? It is also in my traffic list here, could not find something informational on the Internet yet.

    ---

  • 0 in reply to GL@MO

    The behaviour that GL@MO has decribed in hist post is exactly the sime thing which I've observed in an installation at a customer site.

    If an application that has been blocked by Application Control is being invoked directly it seems that blocking works fine. Nevertheless it seems that some code embedded into a website is still able to communicate with the blocked application.

    mck-ipvip seems to be some telephony helper protocol. We don't need it so I tried to block the application which led me to find out this irritating behaviour of UTM9.

    Any official statement from SOPHOS regarding this matter?

    @Mr. Gurung: Tried what you have supposed and didn't change things to the least amount. Problem is still unresolved.


    Kind regards,

    Axel

  • 0 in reply to AxelWeidner

    Hi, Axel, and welcome to the UTM Community!

    As you'll see from #2 in Rulz, AppCtrl is the last thing that looks at a packet.  If it is already blocked by a setting in Web Filtering, AppCtrl will never see it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    in other words or the other way around:

    if webfiltering says "access granted" and there is no rule to block such App traffic (e.g. Facebook), AppControl will not block it when it should be blocked?!

    ---

  • 0 in reply to GL@MO

    If it's allowed by Web Filtering, it should be available to be blocked by AppCtrl.  Please insert a picture of an AppCtrl rule that isn't blocking, but should.  Also, show the log line(s) from the AppCtrl log demonstrating that the traffic is not seen or that it is seen and not passed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML