Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 2939 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG blocking all HTTP after reboot, no entries in the logs to diagnose

IT Support166

XG330 (SFOS 17.5.12 MR-12) 

Since firewall reboot last night our XG is now blocking all HTTP sites and displaying the following page. We have not made any changes to any rules, and the HTTPS version of the site works fine.

More critically, there are no entries in the log viewer for these blocks to help diagnose which area of the XG is causing this block.



This thread was automatically locked due to age.
Parents
  • 0

    Check your Pattern.

     Seems like your pattern are broken.

    Check /log/u2d.log

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Looks to be FATAL : Error in parsing response, exiting. on both the Firmware and Patterns updates:

    Extract from u2d.log with Serial and DeviceID redacted:

    DEBUG Oct 21 12:24:06 [2654]: --serial = [redacted]
    DEBUG Oct 21 12:24:06 [2654]: --deviceid = [redacted]
    DEBUG Oct 21 12:24:06 [2654]: --fwversion = 17.5.12.664
    DEBUG Oct 21 12:24:06 [2654]: --productcode = CN
    DEBUG Oct 21 12:24:06 [2654]: --model = XG330
    DEBUG Oct 21 12:24:06 [2654]: --vendor = WP02
    DEBUG Oct 21 12:24:06 [2654]: --sfmversion = --oem
    DEBUG Oct 21 12:24:06 [2654]: Added new server : Host - , Port - 8443
    DEBUG Oct 21 12:24:06 [2654]: Final query string is :
    ?&serialkey=[REDACTED]&deviceid=[REDACTED]&fwversion=17.5.12.664&productcode=CN&appmodel=XG330&appvendor=WP02&useragent=SF&oem=&sfmversion=--oem
    DEBUG Oct 21 12:24:06 [2654]: Response code : 0
    DEBUG Oct 21 12:24:06 [2654]: Response body :

    DEBUG Oct 21 12:24:06 [2654]: Response length : 0
    ERROR Oct 21 12:24:06 [2654]: Response not parsed successfully.
    ERROR Oct 21 12:24:06 [2654]: FATAL : Error in parsing response, exiting.
    DEBUG Oct 21 12:24:16 [3041]: --serial = [redacted]
    DEBUG Oct 21 12:24:16 [3041]: --deviceid = [redacted]
    DEBUG Oct 21 12:24:16 [3041]: --fwversion = 17.5.12.664
    DEBUG Oct 21 12:24:16 [3041]: --productcode = CN
    DEBUG Oct 21 12:24:16 [3041]: --model = XG330
    DEBUG Oct 21 12:24:16 [3041]: --vendor = WP02
    DEBUG Oct 21 12:24:16 [3041]: --pkg_ips_version = 9.17.14
    DEBUG Oct 21 12:24:16 [3041]: --pkg_ips_cv = 14.0
    DEBUG Oct 21 12:24:16 [3041]: --pkg_atp_version = 1.0.0302
    DEBUG Oct 21 12:24:16 [3041]: --pkg_atp_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_savi_version = 1.0.0
    DEBUG Oct 21 12:24:16 [3041]: --pkg_savi_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_avira_version = 1.0.0
    DEBUG Oct 21 12:24:16 [3041]: --pkg_avira_cv = 4.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_apfw_version = 11.0.012
    DEBUG Oct 21 12:24:16 [3041]: --pkg_apfw_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_waf_version = 1.0.0006
    DEBUG Oct 21 12:24:16 [3041]: --pkg_waf_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_sslvpn_version = 1.0.007
    DEBUG Oct 21 12:24:16 [3041]: --pkg_sslvpn_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_ipsec_version = 1.4.001
    DEBUG Oct 21 12:24:16 [3041]: --pkg_ipsec_cv = 1.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_clientauth_version = 1.0.0019
    DEBUG Oct 21 12:24:16 [3041]: --pkg_clientauth_cv = 2.00
    DEBUG Oct 21 12:24:16 [3041]: --pkg_redfw_version = 3.0.000
    DEBUG Oct 21 12:24:16 [3041]: --pkg_redfw_cv = 2.00
    DEBUG Oct 21 12:24:16 [3041]: --sfmversion = --oem
    DEBUG Oct 21 12:24:16 [3041]: Added new server : Host - , Port - 8443
    DEBUG Oct 21 12:24:16 [3041]: Final query string is :
    ?&serialkey=[REDACTED]&deviceid=[REDACTED]&fwversion=17.5.12.664&productcode=CN&appmodel=XG330&appvendor=WP02&useragent=SF&oem=&pkg_ips_version=9.17.14&pkg_ips_cv=14.0&pkg_atp_version=1.0.0302&pkg_atp_cv=1.00&pkg_savi_version=1.0.0&pkg_savi_patch=2&pkg_savi_cv=1.00&pkg_avira_version=1.0.0&pkg_avira_patch=2&pkg_avira_cv=4.00&pkg_clientauth_version=1.0.0019&pkg_clientauth_cv=2.00&pkg_apfw_version=11.0.012&pkg_apfw_cv=1.00&pkg_redfw_version=3.0.000&pkg_redfw_cv=2.00&pkg_waf_version=1.0.0006&pkg_waf_cv=1.00&pkg_sslvpn_version=1.0.007&pkg_sslvpn_cv=1.00&pkg_ipsec_version=1.4.001&pkg_ipsec_cv=1.00&sfmversion=--oem
    DEBUG Oct 21 12:24:16 [3041]: Response code : 0
    DEBUG Oct 21 12:24:16 [3041]: Response body :

    DEBUG Oct 21 12:24:16 [3041]: Response length : 0
    ERROR Oct 21 12:24:16 [3041]: Response not parsed successfully.
    ERROR Oct 21 12:24:16 [3041]: FATAL : Error in parsing response, exiting.

  • 0 in reply to IT Support166

    The problem seems to be the "empty" body. 

    We are sending this "final query" to the backend server to get the current version.

    But you get back: 

    DEBUG Oct 21 12:24:16 [3041]: Response body :

    Which indicates, the response is empty.

    Did you redact the following line: DEBUG Oct 21 12:24:16 [3041]: Added new server : Host - , Port - 8443

    And why is there a parent proxy port? 

    Do you use parent proxy? if not please try to set one and empty the configuration. 

    __________________________________________________________________________________________________________________

  • 0 in reply to IT Support166

    Hi : Please share support case ID for firmware check fails issue for my reference. 

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to LuCar Toni

    That line wasn't redacted, verbatim from the log file:

    DEBUG Oct 21 12:24:16 [3041]: Added new server : Host - , Port - 8443

    We don't use a parent proxy. The setting in Routing > Upstream Proxy was not enabled but did include a port number. I've emptied the config there and saved. Still fails on the Firmware and Pattern updates:

  • 0 in reply to Vishal_R

    Check for Firmware Update error: Case ID is: 03252846

  • 0 in reply to IT Support166

    Hi : Thanks for sharing case ID.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Vishal_R

    Also Case ID for Sophos Central Management is: 03255107

  • 0 in reply to IT Support166

    If you try to enable the parent proxy and enter some data and disable it again, does it work? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    No, sorry, it still fails after entering junk, saving successfully, and then emptying parent proxy settings:

    Junk data entered to parent proxy:

    Junk data emptied again:

    The u2d.log entries quoted above present the same ERROR parse issue, empty response string, and strange add new server  Host and Port 8443.

Reply
  • 0 in reply to LuCar Toni

    No, sorry, it still fails after entering junk, saving successfully, and then emptying parent proxy settings:

    Junk data entered to parent proxy:

    Junk data emptied again:

    The u2d.log entries quoted above present the same ERROR parse issue, empty response string, and strange add new server  Host and Port 8443.

Children
  • 0 in reply to IT Support166

    I decided to try to manually update the Patterns using the instructions for Air Gap appliances: https://support.sophos.com/support/s/article/KB-000038577  

    The patterns are available: https://airgap.u2d.sophos.com/sfos_patterns_update.tar  

    This alone hadn't worked, but toggling the Web > General Settings > Malware and content scanning > Scan engine selection: from Single Engine: Sophos to Avira and then to Dual Engine (as we use Sandstorm) seems to have fixed the block on HTTP traffic that was the original reason for this post.

    However the Pattern Update and the Firmware Update are still failing with the red error described earlier in this discussion. The u2d.log entries I will post here shortly.

  • 0 in reply to IT Support166

    Sophos Support case resolution suggested that Allow auto-install of hotfixes was not enabled and this appliance missed out on hotfix HF062020.1 they also suggested this fix was included in the latest v.17 firmware.

    Manually updating the firmware from 17.5.12 MR-12 to 17.5.14 MR-14-1 has resolved the issues we were experiencing, specifically:  

    1. Browsing to HTTP websites displayed a Stop! Security risk detected page, no entry posted to log viewer.
    2. System > Backup & Firmware > Firmware: Check for new firmware with Red error displayed 'Check for new firmware failed'.
    3. System > Backup & Firmware > Pattern update: Update pattern now with Red error displayed 'Failed to check for pattern updates'.
    4. Central Synchronization > Manage from Sophos Central > Configure > Send configuration backup to Sophos Central with Red error 'Couldn’t apply settings to enable firewall management from Sophos Central.'
    5. System > Administration > Central Management > Central Management settings > Manage your firewall using toggle was stuck ON and couldn't deactivate.

    Hope this helps any others experiencing similar issues.

    Thanks  and for your help and direction.

Unfiltered HTML