topic Re: Malware site and response page - problem in General Topics

Malware site and response page - problem

_slv_ — Mon, 08 Dec 2014 11:29:59 GMT

Hello

Some time ago I created url-filtering profile:

Today I found in wildfire report that someone try to download something from malware site, so I try to check is my configuration works as expected.

First of all I checked is it still a malware site:

admin@PA-200> test url sunrisebrowse.net

sunrisebrowse.net malware-sites (Base db) (I'm using BrightCloud URL Filtering)

so I started browser and I try to open "sunrisebrowse.net" after 30s or more browser wos redirected to:

"http://8.34.112.54:6080/php/urlblock.php?vsys=1&cat=10056&title=malware-sites&rulename=Lan_A%20NAT%20-%20monitoring&uid=45&url=http://sunrisebrowse.net%2f"

and timeout was displayed in browser. I expected responce page insted of timeout...

I found the session:

61542	undecided	ACTIVE FLOW ND 192.168.1.35[59936]/Lan_A/6 (192.168.1.35[59936])
vsys1	8.34.112.54[6080]/captive-portal (127.131.1.1[6180])

admin@PA-200> show session id 61542

Session 61542

c2s flow:

source: 192.168.1.35 [Lan_A]

dst: 8.34.112.54

proto: 6

sport: 59936 dport: 6080

state: INIT type: FLOW

src user: unknown

dst user: unknown

s2c flow:

source: 127.131.1.1 [captive-portal]

dst: 192.168.1.35

proto: 6

sport: 6180 dport: 59936

state: INIT type: FLOW

src user: unknown

dst user: unknown

qos node: ethernet1/4.1, qos member Qid 0

match src interface: any

match src address: ('any ',)

start time : Mon Dec 8 11:26:16 2014

timeout : 30 sec

total byte count(c2s) : 206

total byte count(s2c) : 0

layer7 packet count(c2s) : 3

layer7 packet count(s2c) : 0

vsys : vsys1

application : incomplete

rule : captive-portal

session to be logged at end : False

session in session ager : False

session updated by HA peer : False

address/port translation : destination

nat-rule : NAT_Lan_A(vsys1)

layer7 processing : enabled

URL filtering enabled : False

session via prediction : True

use parent's policy : False

session via syn-cookies : False

session terminated on host : True

session traverses tunnel : False

captive portal session : True

ingress interface : ethernet1/4.1

egress interface : ethernet1/1

session QoS rule : N/A (class 4)

end-reason : aged-out

Ethernet interface for zone where is my workstation hasn't captiveportal option enabled.

Why this session is "rule : captive-portal", similar config works perfecly for wiruses, ie. when I try to downloaad Eicar sample I get responce page with warning.

What's wrong in my configuration? do I miss something?

Regards

SLawek

Re: Malware site and response page - problem

ssharma — Mon, 08 Dec 2014 13:23:47 GMT

Hi slv ,

Can you share snapshot of your captive portal configuration? Do you have captive portal configuration for Lan_A zone, not interface but the zone itself. Thank you.

Re: Malware site and response page - problem

_slv_ — Mon, 08 Dec 2014 13:36:43 GMT

Nope:

and interface

and zone

Slawek

Re: Malware site and response page - problem

ssharma — Mon, 08 Dec 2014 15:59:25 GMT

Hi Slawek,

Based on the configuration you should not get captive portal page. And the redirect host ("http://8.34.112.54:6080/php/urlblock.php...) itself is IP address of sunrisebrowse.net, that is not expected either. Could you please confirm, what is the redirect host or ip you have configured under Captive Portal settings. Also can you change the action of malware site to block, commit and access the site one more time and verify you get the same results. Thank you.

Re: Malware site and response page - problem

_slv_ — Mon, 08 Dec 2014 17:29:25 GMT

Before I post here this problem I tryed to chage action to block - same resoults

CP IP is 192.168.110.1 thats is a gatway IP of diffrenet zone/network than my workstation network.

Regards

SLawek

Re: Malware site and response page - problem

mivaldi — Mon, 08 Dec 2014 19:56:25 GMT

Your management profile on ethernet1/4.1 is set to Ping_Only.

Try activating "Response Pages" on the Management profile.

The connection you see is trying to go to 6080. That is the Captive Portal Response Page port.

As you can see on the Management Profile Help file:

The Response Pages check box controls whether the ports used to serve captive portal and URL filtering response pages are open on Layer 3 interfaces. Ports 6080 and 6081 are left open if this setting is enabled.

Let us know if that helped.

Re: Malware site and response page - problem

_slv_ — Tue, 09 Dec 2014 07:58:05 GMT

How You can expain that on the same workstation Response Page is shoing properply when I try to download Eicar sample?

I changed profile for this interface (added response pages) but it dosn't help me, so I think is time for support...

Regards

Slawek