This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Malware site and response page - problem

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Malware site and response page - problem

_slv_
L4 Transporter

‎12-08-2014 03:29 AM

Hello

Some time ago I created url-filtering profile:

2014-12-08_104255.png

Today I found in wildfire report that someone try to download something from malware site, so I try to check is my configuration works as expected.

First of all I checked is it still a malware site:

admin@PA-200> test url sunrisebrowse.net

sunrisebrowse.net malware-sites (Base db) (I'm using BrightCloud URL Filtering)

so I started browser and I try to open "sunrisebrowse.net" after 30s or more browser wos redirected to:

"http://8.34.112.54:6080/php/urlblock.php?vsys=1&cat=10056&title=malware-sites&rulename=Lan_A%20NAT%2..."

and timeout was displayed in browser. I expected responce page insted of timeout...

I found the session:

61542    undecided  ACTIVE  FLOW  ND   192.168.1.35[59936]/Lan_A/6  (192.168.1.35[59936])
vsys1                                      8.34.112.54[6080]/captive-portal  (127.131.1.1[6180])

admin@PA-200> show session id 61542

Session           61542

        c2s flow:

                source:      192.168.1.35 [Lan_A]

                dst:         8.34.112.54

                proto:       6

                sport:       59936           dport:      6080

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      127.131.1.1 [captive-portal]

                dst:         192.168.1.35

                proto:       6

                sport:       6180            dport:      59936

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/4.1, qos member  Qid 0

                match src interface:  any

                match src address:    ('any                  ',)

        start time                           : Mon Dec  8 11:26:16 2014

        timeout                              : 30 sec

        total byte count(c2s)                : 206

        total byte count(s2c)                : 0

        layer7 packet count(c2s)             : 3

        layer7 packet count(s2c)             : 0

        vsys                                 : vsys1

        application                          : incomplete

        rule                                 : captive-portal

        session to be logged at end          : False

        session in session ager              : False

        session updated by HA peer           : False

        address/port translation             : destination

        nat-rule                             : NAT_Lan_A(vsys1)

        layer7 processing                    : enabled

        URL filtering enabled                : False

        session via prediction               : True

        use parent's policy                  : False

        session via syn-cookies              : False

        session terminated on host           : True

        session traverses tunnel             : False

        captive portal session               : True

        ingress interface                    : ethernet1/4.1

        egress interface                     : ethernet1/1

        session QoS rule                     : N/A (class 4)

        end-reason                           : aged-out

Ethernet interface for zone where is my workstation hasn't captiveportal option enabled.

Why this session is "rule : captive-portal", similar config works perfecly for wiruses, ie. when I try to downloaad Eicar sample I get responce page with warning.

What's wrong in my configuration? do I miss something?

Regards

SLawek

Labels:
0 Likes Likes
6 REPLIES 6

ssharma
L5 Sessionator

‎12-08-2014 05:23 AM

Hi slv ,

Can you share snapshot of your captive portal configuration? Do you have captive portal configuration for Lan_A zone, not interface but the zone itself. Thank you.

0 Likes Likes

_slv_
L4 Transporter

‎12-08-2014 05:36 AM

Nope:

2014-12-08_143322.png

and interface

2014-12-08_143443.png

and zone

2014-12-08_143614.png

Slawek

0 Likes Likes

ssharma
L5 Sessionator
In response to _slv_

‎12-08-2014 07:59 AM

Hi Slawek,

Based on the configuration you should not get captive portal page. And the redirect host ("http://8.34.112.54:6080/php/urlblock.php...) itself is IP address of sunrisebrowse.net, that is not expected either. Could you please confirm, what is the redirect host or ip you have configured under Captive Portal settings.  Also can you change the action of malware site to block, commit and access the site one more time and verify you get the same results. Thank you.

0 Likes Likes

_slv_
L4 Transporter
In response to ssharma

‎12-08-2014 09:29 AM

Before I post here this problem I tryed to chage action to block - same resoults

CP IP is 192.168.110.1 thats is a gatway IP of diffrenet zone/network than my workstation network.

Regards

SLawek

0 Likes Likes

mivaldi
L7 Applicator
In response to _slv_

‎12-08-2014 11:56 AM

Your management profile on ethernet1/4.1 is set to Ping_Only.

Try activating "Response Pages" on the Management profile.

The connection you see is trying to go to 6080. That is the Captive Portal Response Page port.

As you can see on the Management Profile Help file:

The Response Pages check box controls whether the ports used to serve captive portal and URL filtering response pages are open on Layer 3 interfaces. Ports 6080 and 6081 are left open if this setting is enabled.


Let us know if that helped.

0 Likes Likes

_slv_
L4 Transporter
In response to mivaldi

‎12-08-2014 11:58 PM

How You can expain that on the same workstation Response Page is shoing properply when I try to download Eicar sample?

I changed profile for this interface (added response pages) but it dosn't help me, so I think is time for support...

Regards

Slawek

0 Likes Likes
  • 3766 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks