Malware site and response page - problem

Reply
Highlighted
L4 Transporter

Malware site and response page - problem

Hello

Some time ago I created url-filtering profile:

2014-12-08_104255.png

Today I found in wildfire report that someone try to download something from malware site, so I try to check is my configuration works as expected.

First of all I checked is it still a malware site:

admin@PA-200> test url sunrisebrowse.net

sunrisebrowse.net malware-sites (Base db) (I'm using BrightCloud URL Filtering)

so I started browser and I try to open "sunrisebrowse.net" after 30s or more browser wos redirected to:

"http://8.34.112.54:6080/php/urlblock.php?vsys=1&cat=10056&title=malware-sites&rulename=Lan_A%20NAT%2..."

and timeout was displayed in browser. I expected responce page insted of timeout...

I found the session:

61542    undecided  ACTIVE  FLOW  ND   192.168.1.35[59936]/Lan_A/6  (192.168.1.35[59936])
vsys1                                      8.34.112.54[6080]/captive-portal  (127.131.1.1[6180])

admin@PA-200> show session id 61542

Session           61542

        c2s flow:

                source:      192.168.1.35 [Lan_A]

                dst:         8.34.112.54

                proto:       6

                sport:       59936           dport:      6080

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      127.131.1.1 [captive-portal]

                dst:         192.168.1.35

                proto:       6

                sport:       6180            dport:      59936

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/4.1, qos member  Qid 0

                match src interface:  any

                match src address:    ('any                  ',)

        start time                           : Mon Dec  8 11:26:16 2014

        timeout                              : 30 sec

        total byte count(c2s)                : 206

        total byte count(s2c)                : 0

        layer7 packet count(c2s)             : 3

        layer7 packet count(s2c)             : 0

        vsys                                 : vsys1

        application                          : incomplete

        rule                                 : captive-portal

        session to be logged at end          : False

        session in session ager              : False

        session updated by HA peer           : False

        address/port translation             : destination

        nat-rule                             : NAT_Lan_A(vsys1)

        layer7 processing                    : enabled

        URL filtering enabled                : False

        session via prediction               : True

        use parent's policy                  : False

        session via syn-cookies              : False

        session terminated on host           : True

        session traverses tunnel             : False

        captive portal session               : True

        ingress interface                    : ethernet1/4.1

        egress interface                     : ethernet1/1

        session QoS rule                     : N/A (class 4)

        end-reason                           : aged-out

Ethernet interface for zone where is my workstation hasn't captiveportal option enabled.

Why this session is "rule : captive-portal", similar config works perfecly for wiruses, ie. when I try to downloaad Eicar sample I get responce page with warning.

What's wrong in my configuration? do I miss something?

Regards

SLawek

Tags (1)
Highlighted
L5 Sessionator

Hi slv ,

Can you share snapshot of your captive portal configuration? Do you have captive portal configuration for Lan_A zone, not interface but the zone itself. Thank you.

L4 Transporter

Nope:

2014-12-08_143322.png

and interface

2014-12-08_143443.png

and zone

2014-12-08_143614.png

Slawek

Highlighted
L5 Sessionator

Hi Slawek,

Based on the configuration you should not get captive portal page. And the redirect host ("http://8.34.112.54:6080/php/urlblock.php...) itself is IP address of sunrisebrowse.net, that is not expected either. Could you please confirm, what is the redirect host or ip you have configured under Captive Portal settings.  Also can you change the action of malware site to block, commit and access the site one more time and verify you get the same results. Thank you.

Highlighted
L4 Transporter

Before I post here this problem I tryed to chage action to block - same resoults

CP IP is 192.168.110.1 thats is a gatway IP of diffrenet zone/network than my workstation network.

Regards

SLawek

Highlighted
L7 Applicator

Your management profile on ethernet1/4.1 is set to Ping_Only.

Try activating "Response Pages" on the Management profile.

The connection you see is trying to go to 6080. That is the Captive Portal Response Page port.

As you can see on the Management Profile Help file:

The Response Pages check box controls whether the ports used to serve captive portal and URL filtering response pages are open on Layer 3 interfaces. Ports 6080 and 6081 are left open if this setting is enabled.


Let us know if that helped.

Highlighted
L4 Transporter

How You can expain that on the same workstation Response Page is shoing properply when I try to download Eicar sample?

I changed profile for this interface (added response pages) but it dosn't help me, so I think is time for support...

Regards

Slawek

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!