A documentation of the different Sophos UTM layers

Sophos UTM has many open source services. Each service is for another function. The Web Protection is a squid proxy which can be used via Proxy-IP or via transparent mode. The VPN service “pluto” is an implemenation of strongSwan, etc. A data-packet runs trough many layers. I tried to figure out in which order it happens. I hope they are correct :->

utm-layer

feel free to correct me with your comment. I will be on vacation in Las Vegas, I will answer after my holiday. I wish you a nice weekend! See you!

Sophos released Update 9.402-7

  • Maintenance Release
  • System will be rebooted
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade

Changelog:

NUTM-1955 [Access & Identity] 35658: VLAN Interface on top of a bridge disappears from Slave after Reboot
NUTM-1958 [Access & Identity] 34242: Communication error with Amazon AWS server
NUTM-2129 [Access & Identity] 36050: File Copy from network share over RED50 does not work in one direction
NUTM-2234 [Access & Identity] 35592: Backup from 220 to 230 caused eth3 to exist two times
NUTM-2449 [Access & Identity] 36228: RED Server sends more peers as peers are configured
NUTM-2706 [Access & Identity] Still coredumps from argos after installing the new fix from mantis 35353
NUTM-2842 [Access & Identity] 35423: irqd: Support more than 32 cpus
NUTM-2844 [Access & Identity] 36028: 82546GB Gigabit Ethernet Controller: Reset adapter / Detected Tx Unit Hang
NUTM-2950 [Access & Identity] RED15: fix dnsmasq for transparent/split
NUTM-3049 [Access & Identity] 36382: reds-interface does not get IP after re-activating RED device
NUTM-3083 [Access & Identity] IPv6 address in log line shortened
NUTM-3190 [Access & Identity] IPsec site-to-site: Limit of listening interfaces of 300
NUTM-3252 [Access & Identity] High disk I/O during pattern update on smaller UTM appliances
NUTM-3522 [Access & Identity] RED15 with static uplink and dns name as utm hostname doesn’t work correctly
NUTM-3661 [Access & Identity] After deleting red15w mdw crashes
NUTM-1371 [Basesystem] 35523: adbs-maintenance.plx – ERROR: canceling autovacuum task – waits for ShareUpdateExclusiveLock/AccessExclusiveLock
NUTM-1798 [Basesystem] 35862: Confd doesn’t check for valid local time which can lead to dashboard error
NUTM-2804 [Basesystem] 36226: Network Utillization on HW LCD doesn’t match iftop and webadmin values
NUTM-3325 [Email] Bug on Malware scanning UI Text
NUTM-3558 [Email] Sandbox result shows up in messages
NUTM-3575 [Email] Detailed view defective for Sandstorm pending mails
NUTM-3582 [Email] smtpd sometimes gets stuck when creating a cluster
NUTM-3620 [Email] Add capabilities to Quarantine manager’s spool tab to handle multiple items for the same massage
NUTM-2015 [HA/Cluster] Prevent users from changing postgres_secret
NUTM-2290 [HA/Cluster] Prevent backup import from changing postgres_secret
NUTM-2677 [HA/Cluster] 36293: The Slave node in HA doesn’t show any resource usage
NUTM-1956 [Network] 35582: flow monitor invents traffic on wlan1 interface
NUTM-2236 [Network] 34828: don’t start dhclient without interface
NUTM-3156 [Network] Slave interface IP where WAF is listen to get lost after a while
NUTM-3304 [Network] nic-naming: Provide a fix for delayed 210r2 software support
NUTM-3176 [Reporting] In web usage reporting some domains show up as only the suffix
NUTM-2779 [WAF] WAF – Slow HTTP error messages do not match the description
NUTM-3175 [WebAdmin] It is not possible to select a vlan interface for the “Ping Check”
NUTM-3177 [WebAdmin] Sort function in EPP manage computer didn’t work correctly
NUTM-3184 [WebAdmin] Etc\Greenwich set as timezone causes error on dashboard
NUTM-3185 [WebAdmin] Issues while using the “Search Log Files” tab in the “View Log Files” part of webadmin
NUTM-3311 [WebAdmin] Remove Support for TLS v1.0 from Apache Configuration
NUTM-3109 [Web] Proxy stops working without segfault or hint in the logs
NUTM-3114 [Web] ADSSO join didn’t work with special characters like \xF6
NUTM-3123 [Web] HTTP Log is flooded with “Server delivered only 0 of X bytes” messages
NUTM-3124 [Web] HTTP proxy intermittently stuck in ‘recv: Input/output error’
NUTM-3577 [Web] High CPU Load after update to 9.4
NUTM-3076 [WiFi] Split network modes do not work with RED15w
NUTM-3418 [WiFi] RED15w forgets its wireless encryption key after reboot
NUTM-3188 [[Backend/Devel] Confd] Domain-Regex object deployed from SUM will be created more than once
NUTM-3189 [[Backend/Devel] Confd] Auto packetfilter rule is not updated if the destination service object of a NAT will be changed

FTP Link: ftp://ftp.astaro.com/UTM/v9/up2date/u2d-sys-9.401011-402007.tgz.gpg

HTTP Link: http://ftp.astaro.com/UTM/v9/up2date/u2d-sys-9.401011-402007.tgz.gpg

Sophos UTM IPSec Fallback with different vendor

During a firewall migration at one of my customers, the IT director asks me If we can configure IPsec fallback for the branch offices. The remote devices are all from Bintec and there are over 30 branch offices out there. First, correct the NAT settings on all devices with this tutorial. I blogged it last year.

Now we will configure the remote Bintec device. Go to VPN/IPsec. This is an example, you can choose whatever you want:

bintec-phase1

bintec-phase2

bintec-sa-status

This is the main vpn setting:

bintec-vpn1

this is the backup vpn setting:

bintec-vpn2

this is the configuration of the Sophos UTM:

IPsec Policy:

ipsec-policy

Remote gateway:

remote-gateway

Main VPN over Unitymedia line:

ipsec1

Backup VPN over Versatel line:

ipsec2

it’s important that you activate “Bind tunnel to local interface” because we will work now with multipath rules. Go to Interfaces & Routing / Interfaces / Multipath Rules and add two rules:

multipath-rules

So the remote network 192.168.22.0 /24 is available over both WAN interfaces (by binding it to the interfaces):

ipsec-view

If you disconnect the main line (in this example Unitymedia), the VPN stays active for over a minute. Have patient when you ping your remote device. After about a minute, your ping is getting back because both recognize that the main VPN tunnel is down and the multipath rule leads to the second line (Versatel). If the main line is back again, the first multipath rule gets active immediately.

 

 

Sophos UTM Update 9.401-11 is available!

You can download the new version directly from the FTP server:

u2d-sys-9.355001-401011.tgz.gpg (from 9.3 to 9.4)

u2d-sys-9.400009-401011.tgz.gpg (for already installed 9.4 update)

News:

  • Features
  • Clientless SSO (STAS)
  • IPv6 Support for SSL VPN
  • Sandboxing for SMTP and Web
  • Support for new RED15w
  • Support for new SG Appliances SG85 and SG85w
  • Support for new 4x10G FP 1U network module
  • WAF persistent session cookies

Info:

  • System will be rebooted
  • Configuration will be upgraded
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade

Bugfixes:

NUTM-1764 [Access & Identity] 35675: First time connection always fails with ssl remote access vpn and remote auth
NUTM-1768 [Access & Identity] 35689: RED50: Loadbalancing does not work
NUTM-1771 [Access & Identity] 35809: Group membership is not updated when prefetching backend users
NUTM-1772 [Access & Identity] 35859: Some users are removed from all groups during update_ad_bg_members
NUTM-1927 [Access & Identity] 35957: ERROR: netlink response for Increase seq numbers HA SYSTEM included errno 3: No such process
NUTM-1928 [Access & Identity] 35446: Problems with OpenVPN v2.3.0 and Win8 when client awake from sleep or hibernation mode
NUTM-1941 [Access & Identity] 35474: AD group cache still contains obsolete group information after update_ad_bg_members.plx is executed
NUTM-1942 [Access & Identity] 35279: Option “Drop packets from blocked hosts” does not work correctly
NUTM-1943 [Access & Identity] 35269: Random auth-pop ups in with eDir SSO
NUTM-1944 [Access & Identity] 35459: Site2Site SSLVPN client fails to add routes after server restart
NUTM-1945 [Access & Identity] 35778: Sometimes SAA connection disconnect for 3 minutes
NUTM-1947 [Access & Identity] 35926: VPN Signing CA using encryption of 1024bit
NUTM-1949 [Access & Identity] 35353: Intermittend authentication failed messages during unstable SAA connection
NUTM-1950 [Access & Identity] 35606: French keyboard layout not detected in HTML5 portal RDP connections
NUTM-1951 [Access & Identity] 35602: Outdated perl-ldap -0.39 causing errors in Intermediate.pm
NUTM-1953 [Access & Identity] 35143: LT2P remote access – client get assigned an IP from the pool which is already in use
NUTM-1961 [Access & Identity] 35791: QoS not working with more than 600 applications in a traffic selector definition
NUTM-1964 [Access & Identity] 33657: Bridge: Error messages when you enable / disable an additional address on a bridge
NUTM-1965 [Access & Identity] 34496: Bridge + QoS: Bandwidth pools does not work
NUTM-2080 [Access & Identity] 36079: RED Management can’t be enabled if the organisation name includes umlauts
NUTM-2082 [Access & Identity] 36025: Cisco VPN remote access: XAUTH credentials and Certificate can be from different users
NUTM-2132 [Access & Identity] 36064: Regeneration of VPN Signing CA doesn’t work
NUTM-2451 [Access & Identity] 36225: HTML5 portal RDP session to Windows 8.1 doesn’t work
NUTM-2715 [Access & Identity] 36312: RED15 responds to public DNS requests
NUTM-2817 [Access & Identity] [BETA] Site2Site SSLVPN routes not used if more than 1 connection is up
NUTM-2850 [Access & Identity] [BETA] Site2Site Problem – more connections
NUTM-896 [Access & Identity] 34886: filter:FORWARD:rule will cause a conntrack entry without SYN
NUTM-501 [Basesystem] 33039: SNMPd reports wrong mac address
NUTM-2746 [Email] sandbox module generated many error log messages
NUTM-3038 [Email] [BETA] Rescanning a mail after releasing from quarantine does not work
NUTM-3484 [Email] SMTP Proxy does not start after update to 9.4 after takeover
NUTM-1170 [HA/Cluster] 35285: repctl fails to start on slave node – can’t use string (“reporting”) as a HASH ref
NUTM-1737 [HA/Cluster] 35814: UTM doesn’t respond to arp requests after HA gets disabled
NUTM-3340 [Network] ATP alerts can be caused by external UDP DNS traffic (can lead to massive amounts of ATP alerts)
NUTM-1770 [RED] 35855: RED: Kernel crash – decompression failed: -22
NUTM-1952 [RED] 25775: RED: add message to warn users if they add a MAC to the list which is used by RED
NUTM-2365 [RED] 36159: High CPU load from confd caused by overflow on RED devices
NUTM-2676 [RED] 36303: USB deployed RED10 devices loose their static wan config
NUTM-1067 [WAF] 34447: Issue with WAF Rev. Auth. and OTP
NUTM-2368 [WAF] 36061: Unable to upload attachements with IE to backend server via WAF
NUTM-2555 [WAF] 36251: XSS vulnerability in mod_url_hardening
NUTM-2556 [WAF] 36272: XSS vulnerability in mod_avscan
NUTM-2689 [WAF] 36190: High swap usage caused by reverse proxy
NUTM-2809 [WAF] 36373: Reverse authentication: AH01627: AuthType configured with no corresponding authorization directives
NUTM-3027 [WAF] Random Confd message “Undefined subroutine register_logout_urls”
NUTM-3365 [Web] Filename is not preserved for sandboxed file if Content-Disposition header is missing
NUTM-2141 [WiFi] 35969: Sometimes inconsistent logging if a user is connected via hotspot
NUTM-2591 [WiFi] 36278: Increase maximum number of access points (APs)
NUTM-3066 [WiFi] AP10/30/50 reboot loop
NUTM-3355 [WiFi] VLAN Fallback mechanism broken since 9.4
NUTM-3437 [WiFi] Mesh broken on AP50 after upgrade to 9.4 SR

this update solves my problem with RED15 devices: Device was online (green status in the WebAdmin) but no traffic between branch office and headquarter).

Sophos UTM elevated 9.4 soft-release

Sophos released the UTM update 9.4. You can upload the file via WebAdmin or via shell

cd /var/up2date/sys

wget http://ftp.astaro.com/UTM/v9/up2date/http://ftp.astaro.com/UTM/v9/up2date/u2d-sys-9.355001-400009.tgz.gpg

auisys.plx –showdesc

Changelogs

  • Clientless SSO (STAS)
  • IPv6 Support for SSL VPN
  • Sandboxing for SMTP and Web
  • Support for new RED15w
  • Support for new SG Appliances SG85 and SG85w
  • Support for new 4x10G FP 1U network module
  • WAF persistent session cookies

Infos

  • System will be rebooted
  • Configuration will be upgraded
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade

Bugfixes

NUTM-1764 [Access & Identity] 35675: First time connection always fails with ssl remote access vpn and remote auth
NUTM-1768 [Access & Identity] 35689: RED50: Loadbalancing does not work
NUTM-1771 [Access & Identity] 35809: Group membership is not updated when prefetching backend users
NUTM-1772 [Access & Identity] 35859: Some users are removed from all groups during update_ad_bg_members
NUTM-1927 [Access & Identity] 35957: ERROR: netlink response for Increase seq numbers HA SYSTEM included errno 3: No such process
NUTM-1928 [Access & Identity] 35446: Problems with OpenVPN v2.3.0 and Win8 when client awake from sleep or hibernation mode
NUTM-1941 [Access & Identity] 35474: AD group cache still contains obsolete group information after update_ad_bg_members.plx is executed
NUTM-1942 [Access & Identity] 35279: Option “Drop packets from blocked hosts” does not work correctly
NUTM-1943 [Access & Identity] 35269: Random auth-pop ups in with eDir SSO
NUTM-1944 [Access & Identity] 35459: Site2Site SSLVPN client fails to add routes after server restart
NUTM-1945 [Access & Identity] 35778: Sometimes SAA connection disconnect for 3 minutes
NUTM-1947 [Access & Identity] 35926: VPN Signing CA using encryption of 1024bit
NUTM-1949 [Access & Identity] 35353: Intermittend authentication failed messages during unstable SAA connection
NUTM-1950 [Access & Identity] 35606: French keyboard layout not detected in HTML5 portal RDP connections
NUTM-1951 [Access & Identity] 35602: Outdated perl-ldap -0.39 causing errors in Intermediate.pm
NUTM-1953 [Access & Identity] 35143: LT2P remote access – client get assigned an IP from the pool which is already in use
NUTM-1961 [Access & Identity] 35791: QoS not working with more than 600 applications in a traffic selector definition
NUTM-1964 [Access & Identity] 33657: Bridge: Error messages when you enable / disable an additional address on a bridge
NUTM-1965 [Access & Identity] 34496: Bridge + QoS: Bandwidth pools does not work
NUTM-2080 [Access & Identity] 36079: RED Management can’t be enabled if the organisation name includes umlauts
NUTM-2082 [Access & Identity] 36025: Cisco VPN remote access: XAUTH credentials and Certificate can be from different users
NUTM-2132 [Access & Identity] 36064: Regeneration of VPN Signing CA doesn’t work
NUTM-2451 [Access & Identity] 36225: HTML5 portal RDP session to Windows 8.1 doesn’t work
NUTM-2715 [Access & Identity] 36312: RED15 responds to public DNS requests
NUTM-2817 [Access & Identity] [BETA] Site2Site SSLVPN routes not used if more than 1 connection is up
NUTM-2850 [Access & Identity] [BETA] Site2Site Problem – more connections
NUTM-896 [Access & Identity] 34886: filter:FORWARD:rule will cause a conntrack entry without SYN
NUTM-501 [Basesystem] 33039: SNMPd reports wrong mac address
NUTM-2746 [Email] sandbox module generated many error log messages
NUTM-3038 [Email] [BETA] Rescanning a mail after releasing from quarantine does not work
NUTM-1170 [HA/Cluster] 35285: repctl fails to start on slave node – can’t use string (“reporting”) as a HASH ref
NUTM-1737 [HA/Cluster] 35814: UTM doesn’t respond to arp requests after HA gets disabled
NUTM-1770 [RED] 35855: RED: Kernel crash – decompression failed: -22
NUTM-1952 [RED] 25775: RED: add message to warn users if they add a MAC to the list which is used by RED
NUTM-2365 [RED] 36159: High CPU load from confd caused by overflow on RED devices
NUTM-2676 [RED] 36303: USB deployed RED10 devices loose their static wan config
NUTM-1067 [WAF] 34447: Issue with WAF Rev. Auth. and OTP
NUTM-2368 [WAF] 36061: Unable to upload attachements with IE to backend server via WAF
NUTM-2555 [WAF] 36251: XSS vulnerability in mod_url_hardening
NUTM-2556 [WAF] 36272: XSS vulnerability in mod_avscan
NUTM-2689 [WAF] 36190: High swap usage caused by reverse proxy
NUTM-2809 [WAF] 36373: Reverse authentication: AH01627: AuthType configured with no corresponding authorization directives
NUTM-3027 [WAF] Random Confd message “Undefined subroutine register_logout_urls”
NUTM-2141 [WiFi] 35969: Sometimes inconsistent logging if a user is connected via hotspot
NUTM-2591 [WiFi] 36278: Increase maximum number of access points (APs)
NUTM-3066 [WiFi] AP10/30/50 reboot loop

 

The files are available on the FTP server:

FTP Download

HTTP Download

Ekahau Site Survey 8.5.1 released

The software that I’m using for WiFi Site Surveys is Ekahau Site Survey. Version 8.5.1 was released yesterday. What is Ekahau? Over 12 years in the making, ESSTM maintains its reputation as the easiest to use, enterprise-grade Wi-Fi design and maintenance tool for Wi-Fi professionals. With crystal clear heat maps and easy-to-use reports, ESS makes it simple to optimize Wi-Fi. ESS allows you to plan and create Wi-Fi networks according to your performance and capacity requirements—taking into consideration the increasing amount of wireless clients and applications such as VoIP, HD video streaming and web browsing.

Version 8.5.1 highlights:

  • Improved support for dual-5 GHz access points – especially for scenarios where switching between 2.4+5GHz and 2 x 5GHz modes
    • Also added Cisco 2802 and 3802 APs that support dual-5 GHz
  • The super-annoying tooltip behavior switched to less-annoying (disclaimer: that’s hopefully less annoying, for most users, most of the time)
  • Easier moving of access points (no more pixel-perfect alignment of mouse cursor)
  • Improvements to network adapter behavior (more stable, more robust in VHD environments)
  • Support for older, v2 model of Ekahau Spectrum Analyzer (does not show overly-high noise floor anymore on 5GHz band)
  • Added antennas from Aruba, Terrawave, Samsung
  • Added Xirrus APs XD4, X2, XR-320
  • Small improvements, such as a fix for Cisco prime map import

Full release notes here!

Sophos Hardware Refresh Program

The upgrade paths for the hardware refresh programs are not public. I want to show you what paths you can go. Here are some facts:

  • The Hardware Refresh Program is for customers who want to change from UTM/ASG to SG hardware or want to buy a higher SG model
  • SG  and XG hardware are identical. SG has “Sophos UTM 9” preinstalled, XG has SFOS (Sophos Firewall Operating System) preinstalled
  • SG license can be convert to XG license without any costs

You receive a discount if you migrate to newer hardware. It is also possible to buy a new SG and convert to XG:

utm-to-xg

Next month I need to migrate from a Sophos UTM 320 to a SG 450. This is not a “normal” migration because we go to a higher model cause of the big growth of the customer. The “normal” hardware refresh would be to the “Sophos SG330”. If you change the hardware to this, you have no further license costs. You buy only the new hardware. The license can be convert in your myUTM account. In this specific project, we buy two new SG450, convert the license from UTM320 to SG330, to SG430 and than to SG450. In this case, we are loosing license time by a factor that Sophos defines:

upgrade-paths

Example: We have 12 month left for our Full Guard subscription. 12 divided by 1,5 results 8. 8 divided by 1,5 results 5,33. So we have 5 month and 10 days left. After this we buy a new full guard subscription for three years.

When you want to go the same way, tell your dealer all informations about it (upgrading to higher hardware model and buying directly another full guard subscription). You will get more discount with that! For more information visit www.sophos.de/refresh 🙂

Running USB NICs with Sophos UTM

Today I saw an USB 3.0 Gigabit Ethernet Adapter at my company and I wanted to know if it’s working on a Sophos UTM. The USB NIC adapter is a Digitus DN-3023 Gigabit Ethernet Adapter (RJ-45 to USB 3.0):

digitus-usb-nic

So I installed a new Sophos UTM on a barebone PC. I used an old 9.312-81 software appliance ISO. After the installation and initial setup, I couldn’t see the nic at the linux shell. I found an old Feature Request where a product manager said, that the AX88179 chip will be supported at 9.317:

usbnicfeaturerequest

So i updated the UTM to 9.355-1. After a reboot I still couldn’t choose this adapter in the WebAdmin. So I went to the linux shell to check if the hardware was found:

utm:/root # lsusb
Bus 001 Device 002: ID 045b:0209 Hitachi, Ltd
Bus 002 Device 002: ID 045b:0210 Hitachi, Ltd
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 058f:9254 Alcor Micro Corp. Hub
Bus 002 Device 003: ID 0b95:1790 ASIX Electronics Corp.
Bus 001 Device 004: ID 03f0:0024 Hewlett-Packard KU-0316 Keyboard
Bus 001 Device 005: ID 046d:c018 Logitech, Inc. Optical Wheel Mouse
Bus 001 Device 006: ID 10d5:55a4 Uni Class Technology Co., Ltd

as you can see, the hardware “ASIX Electronics Corp.” USB NIC adapter was found. OK let’s try to install the hardware as a NIC:

utm:/root # lshw -c network
*-network
description: Ethernet interface
product: RTL8111/8168 PCI Express Gigabit Ethernet controller
vendor: Realtek Semiconductor Co., Ltd.
physical id: 0
bus info: pci@0000:01:00.0
logical name: eth0
version: 06
serial: fc:aa:14:e3:38:49
size: 1Gbit/s
capacity: 1Gbit/s
width: 64 bits
clock: 33MHz
capabilities: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=2.3LK-NAPI duplex=full firmware=rtl8168e-3_0.0.4 03/27/12 ip=192.168.0.1 latency=0 link=yes multicast=yes port=MII speed=1Gbit/s
resources: irq:105 ioport:e000(size=256) memory:d0704000-d0704fff memory:d0700000-d0703fff
*-network
description: Ethernet interface
product: RTL8111/8168 PCI Express Gigabit Ethernet controller
vendor: Realtek Semiconductor Co., Ltd.
physical id: 0
bus info: pci@0000:02:00.0
logical name: eth1
version: 06
serial: fc:aa:14:e3:38:47
size: 1Gbit/s
capacity: 1Gbit/s
width: 64 bits
clock: 33MHz
capabilities: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=2.3LK-NAPI duplex=full firmware=rtl8168e-3_0.0.4 03/27/12 ip=10.192.227.96 latency=0 link=yes multicast=yes port=MII speed=1Gbit/s
resources: irq:106 ioport:d000(size=256) memory:d0604000-d0604fff memory:d0600000-d0603fff
*-network DISABLED
description: Ethernet interface
physical id: 1
bus info: usb@2:1.3
logical name: eth2
serial: 00:24:9b:0c:28:76
size: 10Mbit/s
capacity: 1Gbit/s
capabilities: ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
configuration: autonegotiation=off broadcast=yes driver=ax88179_178a duplex=half link=no multicast=yes port=MII speed=10Mbit/s

the bold text contains the USB NIC adapter information. The device is still disabled. Reboot to activate it. Now you can see the NIC adapter in the WebAdmin:

usb-asix

Ok, but how is the performance of such a NIC? The barebone PC has USB 2.0 and 3.0 ports. I tested both ports and have the same bandwidth results:

usbnic-speed

The provider delivers an 100Mbit synchronous internet line. So I can say happily that the USB NIC runs very nice! Here are shell commands to check wether the adapter is connected to an USB 2.0 or 3.0 port:

USB 2.0:

utm:/root # lsusb -t
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/1p, 5000M
|__ Port 1: Dev 2, If 0, Class=hub, Driver=hub/4p, 5000M
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/6p, 480M
|__ Port 1: Dev 2, If 0, Class=hub, Driver=hub/4p, 480M
|__ Port 3: Dev 3, If 0, Class=vend., Driver=ax88179_178a, 480M

USB 3.0:

utm:/root # lsusb -t
/: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/1p, 5000M
|__ Port 1: Dev 2, If 0, Class=hub, Driver=hub/4p, 5000M
|__ Port 3: Dev 3, If 0, Class=vend., Driver=ax88179_178a, 5000M
/: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/6p, 480M
|__ Port 1: Dev 2, If 0, Class=hub, Driver=hub/4p, 480M

USB 2.0 has a gross datarate of 480 MBit/Sec (recognizable at “480M” at the end of the line) and USB 3.0 has a gross datarate of 4,000 MBit/Sec (“5000M” at the end of the line).

Currently I’m working for a future project for a tiny UTM. I will use this adapter for this, keep in touch 😉

 

Sophos UTM Web Protection Workflow

Did you ever asked yourself how the web protection workflow is working within the Sophos UTM? Many customers have problems to understand the way the proxy works. The proxy can be used transparent (man-in-the-middle for http/https) or by “standard” where you use the proxy within your browser or WPAD. The proxy differentiates requests by source, person and time.

Here is a workflow graphic I made:

Sophos UTM Web Protection Workflow

this is a workflow of one of my basic configuration for my customers. But how did it look like in the Sophos UTM WebAdmin? I configured a virtual test appliance with the names and settings like above to make it clearer:

webfilterprofiles

Profile for Server Area:

filterassignment_server

Profile for Office LAN:

filterassignment_officelan

Profile for Guests

filterassignment_guests

I always configure new categories for the groups /purpose:

categories

I recommend to configure from “behind to ahead”: Categories > Filter Actions > Filter Profiles. Here are my filter actions for this example:

filteractions

 

  • Example 1
    • Server “CustomerDC01” with IP 192.168.1.12 wants to update the Windows OS (http requests to update.microsoft.com)
      • HTTP connection will be grabbed and allowed through the proxy because of global exception entry
    • Server “CustomerDC01” with IP 192.168.1.12 wants to download SAP files from the internet
      • Connection will be grabbed, scanned for malware (transparently, no proxy needed within a browser or system)
  • Example 2
    • User “carl” (Member of GL_All and GL_FacilityManager) wants to access Facebook at 4 o’clock
      • Browser says to proxy “please go to facebook for me” > Proxy blocked website (because social media is only allowed from 12 am to 1 pm)

 

If you want further examples, feel free to comment. Have a nice weekend! 🙂

Advertisment ad adsense adlogger