DNS Traffic Recognized as App-ID "sophos-live-protection"

DNS Traffic Recognized as App-ID "sophos-live-protection"

9958
Created On 02/09/21 16:35 PM - Last Modified 07/03/24 04:19 AM


Symptom


  • Firewall /Prisma Access is configured to allow only DNS traffic on UPD port 53
  • Firewall/Prisma Access  is dropping other traffic on UDP port 53 with application sophos-live-protection
  • Packet capture of the DNS traffic categorized by the firewall as sophos-live-traffic shows a DNS query for sophosxl.net
User-added image
Screenshot 2024-07-03 at 1.02.28 PM.png

Environment


  • Firewall
  • PAN-OS 8.1 or higher
  • Prisma Access

Cause


  • The app identification is expected behaviour since the client is generating queries with a specific data in them. 
  • If Sophos endpoints are used in the network, Create appropriate policies to allow sophos-live-protection application. 



 

Resolution


Resolutions for this issue would be one of the listed three options:
  1. Disable Sophos Applications from all hosts (internal DNS server in this case) if company intention is to not have endpoints use this application and make sure that the uninstallation was properly done.
  2. Include sophos-live-protection in the Allow DNS Security Policy Rule.
  3. If using internal DNS server and server is configured to re-use same source ports, change the server to use different source ports for each query so that the firewall will not match non-Sophos traffic incorrectly as sophos-live-protection.

Additional Information


See Sophos website below for more information on SXL
https://support.sophos.com/support/s/article/KB-000034570?language=en_US
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCp7CAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language