This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filtering whitelist weird issue

Hello,

We are using Sophos UTM 9.403-4 on AWS, AMI ID: ami-d1eb8ba6

Sophos acts as NAT for our EC2 instances outbound traffic, within an Amazon VPC.
UTM is configured with Web Filtering in transparent mode.
We have a list of domains that we want to whitelist to be accessible from our EC2 instances.
The problem we are seeing is described below.
Some of the Web requests are coming through to IPs rather than domains. This breaks our whitelisting, since those requests are blocked.
The domains for which this is happening are: 
- newrelic.com
rubygems.org and a few more
I'm pretty sure the problem is not the client's software, but rather something weird happening in UTM. (It would not make sense to write software that resolves DNS names to IPs and then invokes the IPs directly. Also, SSL validation would fail miserably!)
An example log entry going to an IP directly:
2016:07:15-13:52:46 uat1-nat-a httpproxy[4930]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.17.94.57" dstip="50.31.164.164" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Web-Profile)" filteraction="REF_HttCffAllowwebti2 (Allow-WebTier)" size="5205" request="0x1517b800" url="https://50.31.164.164/" referer="" error="" authtime="0" dnstime="2" cattime="329" avscantime="0" fullreqtime="399648" device="0" auth="0" ua="" exceptions=""

I had to manually whitelist 50.31.164.164, which belongs to newrelic.com. This is not really viable solution as these IP change often...

Have you seen this issue before? Would you be able to point me in the right direction?
Thanks a lot for your time.
Cheers
Mikko


This thread was automatically locked due to age.
Parents
  • Hi, Mikko, and welcome to the UTM Community!

    You say that you "whitelisted" 50.31.164.164 - please show a picture of what you did to accomplish this.  In your first post above, statuscode="200" is reported, indicating that the access was successful - are you saying that the information was not delivered?  I wonder if this is why you and Michael are talking past each other...

    Cheers - Bob

    PS Michael, aren't you thinking about SMTP Proxy whitelisting instead of Web Filtering when you comment that whitelisting avoids all checks?

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, Mikko, and welcome to the UTM Community!

    You say that you "whitelisted" 50.31.164.164 - please show a picture of what you did to accomplish this.  In your first post above, statuscode="200" is reported, indicating that the access was successful - are you saying that the information was not delivered?  I wonder if this is why you and Michael are talking past each other...

    Cheers - Bob

    PS Michael, aren't you thinking about SMTP Proxy whitelisting instead of Web Filtering when you comment that whitelisting avoids all checks?

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children