Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 0 subscribers
  • Views 18976 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocked Site no reason code in syslog

FGLIT

We are trialling the web appliance and are trying to access an ftp site.

If we perform a lookup the appliance is saying it's allowed - however syslog returns act=-1(blocked) and the rsn=-

Can somebody advise how to resolve this?

We have added it the local site list as a trusted site but this does not resolve it either.

:57903


This thread was automatically locked due to age.
  • 0

    Full string from syslog

    u=&qout;Domain\\User&qout; s=503 X=- t=1436438490 T=181574545 Ts=181 act=-1 cat=&qout;0x2200000006&qout; rsn=- threat=&qout;-&qout; type=&qout;-&qout; ctype=&qout;text/html&qout; sav-ev=- sav-dv=- uri-dv=- cache=MISS in=84 out=4997 meth=GET ref=&qout;-&qout; ua=&qout;-&qout; req=&qout;GET ftp://ftpurl/ HTTP/1.1&qout; dom=&qout;domain&qout; filetype=&qout;-&qout; rule=&qout;0&qout; filesize=- axtime=0.003934 fttime=0.000000 scantime=- src_cat=&qout;0x2000000006&qout; labs_cat=&qout;0x2000000006&qout; dcat_prox=&qout;-&qout; target_ip=&qout;targetipadd&qout; labs_rule_id=&qout;0&qout; reqtime=- adtime=0.000000 ftbypass=- os=Windows authn=53 auth_by=sso_cache dnstime=0.000051 quotatime=-

    :57905
  • 0

    I guess your ftp site requires username and password. You have to specify username and password in url.

    ftp://username:password@ftpurl

    :57909
  • 0

    it does require a logon but that's not the solution

    :57912
  • 0

    Is hard to tell from the log.. but

    s=503 is the internet code 503

    act=-1 is blocked

    0x2200000006 category of Business

     rsn=-  this would normally be a number like 1406 if the category business was blocked.

    GET ftp://ftpurl/ HTTP/1.1 if this URL is an IP address you will need to make sure that  configuration / global policy / general options "allow public IP address" IS checked off.

    I understand you wanting to block everything out (I would to)  but look at those ones the target_ip= May be useful to.

    the complete log entry can be found here: http://wsa.sophos.com/docs/wsa/swa4_docs/#concepts/AppInterpretingASophosLog.htm

    ftp over port 80 IS supported, ftp over any other port will be probematic. ie 21 or 1021

    :57918
Unfiltered HTML