Hello,
We are using Sophos UTM 9.403-4 on AWS, AMI ID: ami-d1eb8ba6
Sophos acts as NAT for our EC2 instances outbound traffic, within an Amazon VPC.
UTM is configured with Web Filtering in transparent mode.
We have a list of domains that we want to whitelist to be accessible from our EC2 instances.
The problem we are seeing is described below.
Some of the Web requests are coming through to IPs rather than domains. This breaks our whitelisting, since those requests are blocked.
The domains for which this is happening are:
- chef.io
- newrelic.com
- rubygems.org and a few more
I'm pretty sure the problem is not the client's software, but rather something weird happening in UTM. (It would not make sense to write software that resolves DNS names to IPs and then invokes the IPs directly. Also, SSL validation would fail miserably!)
An example log entry going to an IP directly:
2016:07:15-13:52:46 uat1-nat-a httpproxy[4930]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.17.94.57" dstip="50.31.164.164" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (Web-Profile)" filteraction="REF_HttCffAllowwebti2 (Allow-WebTier)" size="5205" request="0x1517b800" url="https://50.31.164.164/" referer="" error="" authtime="0" dnstime="2" cattime="329" avscantime="0" fullreqtime="399648" device="0" auth="0" ua="" exceptions=""
I had to manually whitelist 50.31.164.164, which belongs to newrelic.com. This is not really viable solution as these IP change often...
Have you seen this issue before? Would you be able to point me in the right direction?
Thanks a lot for your time.
Cheers
Mikko
This thread was automatically locked due to age.
