I followed the procedures here: https://community.sophos.com/kb/en-us/123048
However, I cannot reach any websites anymore, such as google, yahoo, etc, after I have checked the box to "decrypt and scan https" in my firewall rule. What am I doing wrong?
I have tried restarting the browser, rebooted the computer, removing the certificate and reinstalling, but nothing works. What can I do to fix it?
Perfect, and if you enable https scanning for this computer, can you show us the error?
Yes, here is the error that I get:
Any ideas yet? I'm still trying to figure this out.
What about the certificate, when I download it from the XG, it is in the form of a .pem file. In Chrome for example, on the certificate import wizard, when browsing for the file to import, I have just been selecting the option to show all files, then I select that .pem file. The default is that it is looking for a .cer or .crt file. I didn't think it mattered, but do you think maybe it doesn't like the .pem file?
I am currently a little bit suprised about this error page. Would suggest your proxy module is broken? Do you have something in front of the XG?
Because the certificate seems to be okay. This block page is just content which the XG gives in the HTTP data part.
I just have a modem in front of it, configured to IP Passthrough mode.
The block page says that "the content could not be scanned for malware, it may be corrupted or encrypted"
Could this mean that somehow the XG is unable to decrypt it, even though the certificate is in place?
If you use Decrypt and Scan for HTTPs, there will be 2 HTTPs tunnel.
The first one is between XG and Client. The XG uses the CA from Webadmin for this one.
The second tunnel is between XG WAN Interface and Internet. So basically most of the websites does not know, there is a HTTPs Proxy in the middle.
This alerts means, something went wrong between XG and Internet.
So would be assume, there is something wrong, if the XG build up a HTTPs connection to the internet.
Do you use / configured a parent proxy (Upstream Proxy) under Routing?
That error message should not be related to HTTPS scanning. It is normally only used for times that a) the av engine returns an error to the web proxy or b) web proxy cannot talk to the av engine.
Under Backups and Firmware \ Pattern Updates, does "Avira AV" and "Sophos AV" show Success with dates from today?
Under System Services \ Services is Anti Virus running?
Under Web \ General Settings. Are you using Single Engine or Dual, and if Single which one?
In Log Viewer, System, do you have anything that looks odd?
To follow up on the previous question, no, the upstream / parent proxy is not enabled.
When I look at the AV settings:
The Avira AV and Sophos AV do not show Success, they are just blank.
Under services, Yes, the Antivirus is running.
I'm using Single Engine. The Single scan engine is set to "Sophos"
On Log Viewer, System, I have some messages about Failing to check for updates from "Up2Date" process. I also had message such as:
HTTPS access is denied due to invalid server certificate. Disable "Block invalid certificates" from "Web -> Protection -> HTTPS Decryption and Scanning" to access HTTPS site 'https://scribe.logs.roku.com/'
I notice that on the Web -> General Settings -> Malware and Content Scanning: Action on Malware scan failure: if I change it from "Block (best protection)" to "Allow"
the webpages load and I don't get the block page anymore. But I guess this means I'm bypassing the scanning, so still need to fix the AV scan problem to get this working right.
I suspect the certificate stuff is not related and may resolve itself when the underlying problem is resolved.
I suspect the reason you cannot do web browsing is because of the AV Scanner.
I suspect the reason you cannot do AV Scanning is because you don't have valid AV signatures downloaded via up2date (u2d).
In Backup and Firmware, Pattern Updates. Do you have Auto Update on? What happens if you click Update Pattern Now?
What up2date errors appear in the log?
If you go into the XG command line (the bash shell) can you do
curl http://us-west-2.u2d.sophos.com/
Can you attach a file with the last.... lets say 500 lines of /log/u2d.log
I suspect the certificate stuff is not related and may resolve itself when the underlying problem is resolved.
I suspect the reason you cannot do web browsing is because of the AV Scanner.
I suspect the reason you cannot do AV Scanning is because you don't have valid AV signatures downloaded via up2date (u2d).
In Backup and Firmware, Pattern Updates. Do you have Auto Update on? What happens if you click Update Pattern Now?
What up2date errors appear in the log?
If you go into the XG command line (the bash shell) can you do
curl http://us-west-2.u2d.sophos.com/
Can you attach a file with the last.... lets say 500 lines of /log/u2d.log
Yes, Auto Update is on. If I click Update Pattern Now, I get message: "Failed to check for pattern updates".
The up2date errors on the log viewer all say "Failed to check for updates". These are coming in every 2 hours. I don't see any other messages for up2date.
The curl.... command from the Device Console is not working. I keep getting error: unknown parameter "curl"
So up2date is not working. Which could be something in the configuration on the box or something in your network where the box is not allowed to reach the outside. You know your network configuration the best, is there anything that you think could be preventing traffic?
When you are in the admin menu, choose option 5. Device Management then 3. Advanced Shell. This will get you a real command line. Try the curl there. That will just prove whether the box can reach the up2date servers and therefore if the underlying problem is outside the box.
No, I can't think of anything that would be blocking traffic. The XG is properly routing data from the internet to/from the LAN for all of the clients , so I don't see why it wouldn't be able to update itself.
Here's what I get with curl now:
SFVH_SO01_SFOS 17.0.6 MR-6# curl us-west-2.u2d.sophos.com
curl: (7) Failed to connect to us-west-2.u2d.sophos.com port 80: Connection timed out
However, from the same command line, I am able to ping sophos.com, and it replies ok:
SFVH_SO01_SFOS 17.0.6 MR-6# ping sophos.com
PING sophos.com (31.222.175.174): 56 data bytes
64 bytes from 31.222.175.174: seq=0 ttl=41 time=142.038 ms
64 bytes from 31.222.175.174: seq=1 ttl=41 time=141.836 ms
64 bytes from 31.222.175.174: seq=2 ttl=41 time=142.138 ms
64 bytes from 31.222.175.174: seq=3 ttl=41 time=149.432 ms
64 bytes from 31.222.175.174: seq=4 ttl=41 time=146.405 ms
64 bytes from 31.222.175.174: seq=5 ttl=41 time=142.239 ms
^C
--- sophos.com ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 141.836/144.014/149.432 ms
SFVH_SO01_SFOS 17.0.6 MR-6#
In addition to the pattern updates not working, it also won't get any firmware updates either when I try to manually check for them. Is there a place where the update servers are defined in the XG? Maybe I can try another update server?
Hi,
Try to do wget from the shell.
Better open 2 shells at the same time and perform a tcpdump.
tcpdump -ni any port 443
&
wget https://us-west-2.u2d.sophos.com/
The up2date servers a semi-dynamic, there are several of them worldwide and it should be picking the nearest one to you. You can see in that example you tried to connect to the us-west-2 server.
At this point I suspect the problem is in your network and not in the XG itself. There is nothing more than I can really help with.
Possibly others in the forum can. Or you can contact Support or your reseller. They should have experience with common networking configuration issues.
Yes, that was the problem, DNS was not configured correctly. I changed the DNS server to 8.8.8.8 on the XG, and now its getting the updated AV patterns. The curl... still gives me a 404 not found error if I run it from the shell, but I guess that doesn't matter now.
So, now that I got that fixed, looks like the webpages are working now. I changed the "Web - General Settings - Action on Malware scan failure" back from "allow" to "block", and its still allowing users to browse to the https webpages.
So that's great, thanks for all your help!
One follow up question... are there good procedures out there on how to get the Sophos CA onto devices like iphone and other smart phones, smart tv, amazon fire stick?
Hi,
I think manbearpig provided you with a link earlier on that covered some of the devices. I have done web searches for the apple iPhones, but can't remember the answer, same with the iPad, but the iPad didn't work correctly so I need to go back and have another try.
Of course there is another issue for visiting mobile devices that use your wifi will not have your CA, so you might need a lower strength firewall rule for them.
Ian
Personally it is the thing that I most absolutely hate this.
There are a variety of smartphones that is difficult to predict everything... Install the Sophos CA Certificate in such devices is a lost war...
If someone in this forum has found a clever way to implement that, I'm all ears.
An alternative would be to publish the CA certificate in the captive portal so you can install it in your smartphones...
