Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AP15 trying to connect to external IP addresses - why?

Good morning,

I hope we are all having a healthy/safe social distancing morning. I am tinkering with my home UTM, now that I seem to have lots of time.

 

I am seeing lots of traffic blocked in my web filter logs from my AP15.

 

2020:03:25-09:56:47 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3270" request="0xe560d100" url="https://34.251.210.199/" referer="" error="" authtime="0" dnstime="0" aptptime="98" cattime="140" avscantime="0" fullreqtime="244564" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"
2020:03:25-09:56:53 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3270" request="0xcc8ca00" url="https://34.249.219.143/" referer="" error="" authtime="0" dnstime="0" aptptime="137" cattime="146" avscantime="0" fullreqtime="236847" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"
2020:03:25-09:56:58 hostname httpproxy[7621]: id="0061" severity="info" sys="SecureWeb" sub="http" name="web request blocked, reputation limit" action="block" method="CONNECT" srcip="10.100.200.8" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaLanNetwo2 (Core_Devices_Profile)" filteraction="REF_HttCffCorefilter (Core_Filter_Action)" size="3264" request="0xc1e1c300" url="https://54.77.16.23/" referer="" error="" authtime="0" dnstime="0" aptptime="97" cattime="123" avscantime="0" fullreqtime="236449" device="0" auth="0" ua="" exceptions="" reason="reputation" category="9998" reputation="unverified" categoryname="Uncategorized"

 

 

  1. These hosts all resolve to Sophos Central. Isn't it strange that Sophos' own IPs are listed as uncategorized/unverified?
  2. Why does my AP need to talk externally at all? I have never, nor do I plan to use Sophos Central to manage my UTM in any way.

I have not seen this before, and have always kept all of my core systems (by IP) in a group that gets very restrictive web filter URL blocks.



This thread was automatically locked due to age.
Parents
  • Good luck with teaching!

    It's normal to see RST packet drops, so you can ignore those blocks.

    Those are Amazon AWS IPs, so, with a home license, I think you're stuck with letting the AP15 do unfiltered web requests.  It looks like you're in Transparent mode, so I'd skip the proxy for all traffic coming from it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks! Teaching and working is a lot to tackle at once!

    Each of those IP addresses in my OP may be AWS, but they lead to Sophos Central (for example: https://54.77.16.23/). Wondering why my AP15 needs to talk to them, and why it talks externally at all. If it needs to check FW updates, isn't that the UTM's job? 

    I also saw in the Flow Monitor last night that a good amount of traffic is still coming from the AP, with the app type, "Sophos Wireless." Just before midnight, when I was looking, it had moved over 1GB of data on port tcp/2712. I don't see it happening right now, but I am wired.

    My main questions are these:

    1. Why does my AP need to talk on it's own IP to the outside world?
    2. Why is it still talking to the outside world when I have it blocked in the FW and the Web Filter?

    Here is my FW rule, placed near the top, with my other In>Out block rules:

      I never see this rule triggered, though.

    Here is the web filter profile:

    And the policy test shows that it should be blocked, and applies the correct profile:

    Also for reference, here is when they were talking more, before I blocked it outright while I investigate:


    Sophos UTM Home user since 2015

    Running on Q350G4 Core i5-4200U 8GB

Reply
  • Thanks! Teaching and working is a lot to tackle at once!

    Each of those IP addresses in my OP may be AWS, but they lead to Sophos Central (for example: https://54.77.16.23/). Wondering why my AP15 needs to talk to them, and why it talks externally at all. If it needs to check FW updates, isn't that the UTM's job? 

    I also saw in the Flow Monitor last night that a good amount of traffic is still coming from the AP, with the app type, "Sophos Wireless." Just before midnight, when I was looking, it had moved over 1GB of data on port tcp/2712. I don't see it happening right now, but I am wired.

    My main questions are these:

    1. Why does my AP need to talk on it's own IP to the outside world?
    2. Why is it still talking to the outside world when I have it blocked in the FW and the Web Filter?

    Here is my FW rule, placed near the top, with my other In>Out block rules:

      I never see this rule triggered, though.

    Here is the web filter profile:

    And the policy test shows that it should be blocked, and applies the correct profile:

    Also for reference, here is when they were talking more, before I blocked it outright while I investigate:


    Sophos UTM Home user since 2015

    Running on Q350G4 Core i5-4200U 8GB

Children
No Data