Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 2760 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AP15 trying to connect to external IP addresses - why?

gcracker

Good morning,

I hope we are all having a healthy/safe social distancing morning. I am tinkering with my home UTM, now that I seem to have lots of time.

 

I am seeing lots of traffic blocked in my web filter logs from my AP15.

 

2020:03:25-09:56:47 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3270" request="0xe560d100" url="https://34.251.210.199/" referer="" error="" authtime="0" dnstime="0" aptptime="98" cattime="140" avscantime="0" fullreqtime="244564" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"
2020:03:25-09:56:53 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3270" request="0xcc8ca00" url="https://34.249.219.143/" referer="" error="" authtime="0" dnstime="0" aptptime="137" cattime="146" avscantime="0" fullreqtime="236847" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"
2020:03:25-09:56:58 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3264" request="0xc1e1c300" url="https://54.77.16.23/" referer="" error="" authtime="0" dnstime="0" aptptime="97" cattime="123" avscantime="0" fullreqtime="236449" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"

 

 

  1. These hosts all resolve to Sophos Central. Isn't it strange that Sophos' own IPs are listed as uncategorized/unverified?
  2. Why does my AP need to talk externally at all? I have never, nor do I plan to use Sophos Central to manage my UTM in any way.

I have not seen this before, and have always kept all of my core systems (by IP) in a group that gets very restrictive web filter URL blocks.



This thread was automatically locked due to age.
Parents
  • 0

    Does this phenomenon disappear if you do a disable/enable of Web Filtering?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Does this phenomenon disappear if you do a disable/enable of Web Filtering?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Sorry for the long delay - I am wrapped up in lots of home-schooling, lately.

    Yes, I am still seeing blocks in the web filter, but not the firewall, since March.

    Why would my AP need to talk to the outside world when my UTM pushes FW from inside?

    Here is some sample info from March 22 to 28:

    The same report from Jan 1 to Feb 29:

    When I look at my FW logs, I see lots of RST, but nothing triggering my explicit block from AP15 to any internet IP4:

    Line 58: 2020:03:25-00:01:56 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="54.77.16.23" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="53334" tcpflags="RST" 
     Line 66: 2020:03:25-00:02:34 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="54.77.16.23" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="53341" tcpflags="RST" 
     Line 69: 2020:03:25-00:02:50 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="54.77.16.23" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="53344" tcpflags="RST" 
     Line 85: 2020:03:25-00:03:49 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="54.77.16.23" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="53355" tcpflags="RST" 
     Line 103: 2020:03:25-00:07:46 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="34.249.219.143" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="33003" tcpflags="RST" 
     Line 107: 2020:03:25-00:08:02 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="34.251.210.199" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="58824" tcpflags="RST" 
     Line 118: 2020:03:25-00:09:29 ulogd[31028]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth3" srcmac="40:62:31:11:0a:53" srcip="34.251.210.199" dstip="10.100.200.8" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="58840" tcpflags="RST"

    Sophos UTM Home user since 2015

    Running on Q350G4 Core i5-4200U 8GB

Unfiltered HTML