Sophos Update Error - Troubleshooting with Palo Alto Firewall - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Friday, January 26, 2018

Sophos Update Error - Troubleshooting with Palo Alto Firewall

Our Sophos Management Server is installed behind a Palo Alto firewall, which is used to centrally update and manage all internal Sophos clients.


After new installation of this Sophos Management Server, we found update from Internet always failed. The Palo Alto firewall rule was configured to use FQDN addresses as destination. Based on Sophos support site,
"The Sophos Update Manager (SUM) server uses port 80 (http) and requires access to the following eight addresses:
  • dci.sophosupd.com
  • d1.sophosupd.com
  • d2.sophosupd.com
  • d3.sophosupd.com
  • dci.sophosupd.net
  • d1.sophosupd.net
  • d2.sophosupd.net
  • d3.sophosupd.net
"

Although all those eight ip addresses has been programed into Palo Alto firewall, unfortunately the firewall rule still does not work. Even we changed to any ip address in destination, there is still failed message.




Lets take a look Palo Alto firewall rule configured before:



and Palo Alto logs:


We found Palo Alto firewall treated some network connections as a threat and denied the file downloading from Sophos Update site. 


Lets modify rule:


Now the Sophos Update Manager looks much better:








Youtube Video: A Quick Look of Sophos Enterprise Console 5.5:









No comments:

Post a Comment