This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AP15 trying to connect to external IP addresses - why?

Good morning,

I hope we are all having a healthy/safe social distancing morning. I am tinkering with my home UTM, now that I seem to have lots of time.

I am seeing lots of traffic blocked in my web filter logs from my AP15.

2020:03:25-09:56:47 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3270" request="0xe560d100" url="https://34.251.210.199/" referer="" error="" authtime="0" dnstime="0" aptptime="98" cattime="140" avscantime="0" fullreqtime="244564" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"

2020:03:25-09:56:53 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3270" request="0xcc8ca00" url="https://34.249.219.143/" referer="" error="" authtime="0" dnstime="0" aptptime="137" cattime="146" avscantime="0" fullreqtime="236847" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"

2020:03:25-09:56:58 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3264" request="0xc1e1c300" url="https://54.77.16.23/" referer="" error="" authtime="0" dnstime="0" aptptime="97" cattime="123" avscantime="0" fullreqtime="236449" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"

These hosts all resolve to Sophos Central. Isn't it strange that Sophos' own IPs are listed as uncategorized/unverified?
Why does my AP need to talk externally at all? I have never, nor do I plan to use Sophos Central to manage my UTM in any way.

I have not seen this before, and have always kept all of my core systems (by IP) in a group that gets very restrictive web filter URL blocks.

This thread was automatically locked due to age.

Parents

0 BAlfson over 4 years ago

Good luck with teaching!

It's normal to see RST packet drops, so you can ignore those blocks.

Those are Amazon AWS IPs, so, with a home license, I think you're stuck with letting the AP15 do unfiltered web requests. It looks like you're in Transparent mode, so I'd skip the proxy for all traffic coming from it.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 gcracker over 4 years ago in reply to BAlfson
Thanks! Teaching and working is a lot to tackle at once!

Each of those IP addresses in my OP may be AWS, but they lead to Sophos Central (for example: https://54.77.16.23/). Wondering why my AP15 needs to talk to them, and why it talks externally at all. If it needs to check FW updates, isn't that the UTM's job?

I also saw in the Flow Monitor last night that a good amount of traffic is still coming from the AP, with the app type, "Sophos Wireless." Just before midnight, when I was looking, it had moved over 1GB of data on port tcp/2712. I don't see it happening right now, but I am wired.

My main questions are these:

Why does my AP need to talk on it's own IP to the outside world?

Why is it still talking to the outside world when I have it blocked in the FW and the Web Filter?

Here is my FW rule, placed near the top, with my other In>Out block rules:

I never see this rule triggered, though.

Here is the web filter profile:

And the policy test shows that it should be blocked, and applies the correct profile:

Also for reference, here is when they were talking more, before I blocked it outright while I investigate:
Sophos UTM Home user since 2015

Running on Q350G4 Core i5-4200U 8GB
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 gcracker over 4 years ago in reply to BAlfson
Thanks! Teaching and working is a lot to tackle at once!

Each of those IP addresses in my OP may be AWS, but they lead to Sophos Central (for example: https://54.77.16.23/). Wondering why my AP15 needs to talk to them, and why it talks externally at all. If it needs to check FW updates, isn't that the UTM's job?

I also saw in the Flow Monitor last night that a good amount of traffic is still coming from the AP, with the app type, "Sophos Wireless." Just before midnight, when I was looking, it had moved over 1GB of data on port tcp/2712. I don't see it happening right now, but I am wired.

My main questions are these:

Why does my AP need to talk on it's own IP to the outside world?

Why is it still talking to the outside world when I have it blocked in the FW and the Web Filter?

Here is my FW rule, placed near the top, with my other In>Out block rules:

I never see this rule triggered, though.

Here is the web filter profile:

And the policy test shows that it should be blocked, and applies the correct profile:

Also for reference, here is when they were talking more, before I blocked it outright while I investigate:
Sophos UTM Home user since 2015

Running on Q350G4 Core i5-4200U 8GB
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data