I followed the procedures here: https://community.sophos.com/kb/en-us/123048
However, I cannot reach any websites anymore, such as google, yahoo, etc, after I have checked the box to "decrypt and scan https" in my firewall rule. What am I doing wrong?
I have tried restarting the browser, rebooted the computer, removing the certificate and reinstalling, but nothing works. What can I do to fix it?
That error message should not be related to HTTPS scanning. It is normally only used for times that a) the av engine returns an error to the web proxy or b) web proxy cannot talk to the av engine.
Under Backups and Firmware \ Pattern Updates, does "Avira AV" and "Sophos AV" show Success with dates from today?
Under System Services \ Services is Anti Virus running?
Under Web \ General Settings. Are you using Single Engine or Dual, and if Single which one?
In Log Viewer, System, do you have anything that looks odd?
To follow up on the previous question, no, the upstream / parent proxy is not enabled.
When I look at the AV settings:
The Avira AV and Sophos AV do not show Success, they are just blank.
Under services, Yes, the Antivirus is running.
I'm using Single Engine. The Single scan engine is set to "Sophos"
On Log Viewer, System, I have some messages about Failing to check for updates from "Up2Date" process. I also had message such as:
HTTPS access is denied due to invalid server certificate. Disable "Block invalid certificates" from "Web -> Protection -> HTTPS Decryption and Scanning" to access HTTPS site 'https://scribe.logs.roku.com/'
I notice that on the Web -> General Settings -> Malware and Content Scanning: Action on Malware scan failure: if I change it from "Block (best protection)" to "Allow"
the webpages load and I don't get the block page anymore. But I guess this means I'm bypassing the scanning, so still need to fix the AV scan problem to get this working right.
I suspect the certificate stuff is not related and may resolve itself when the underlying problem is resolved.
I suspect the reason you cannot do web browsing is because of the AV Scanner.
I suspect the reason you cannot do AV Scanning is because you don't have valid AV signatures downloaded via up2date (u2d).
In Backup and Firmware, Pattern Updates. Do you have Auto Update on? What happens if you click Update Pattern Now?
What up2date errors appear in the log?
If you go into the XG command line (the bash shell) can you do
curl http://us-west-2.u2d.sophos.com/
Can you attach a file with the last.... lets say 500 lines of /log/u2d.log
Yes, Auto Update is on. If I click Update Pattern Now, I get message: "Failed to check for pattern updates".
The up2date errors on the log viewer all say "Failed to check for updates". These are coming in every 2 hours. I don't see any other messages for up2date.
The curl.... command from the Device Console is not working. I keep getting error: unknown parameter "curl"
So up2date is not working. Which could be something in the configuration on the box or something in your network where the box is not allowed to reach the outside. You know your network configuration the best, is there anything that you think could be preventing traffic?
When you are in the admin menu, choose option 5. Device Management then 3. Advanced Shell. This will get you a real command line. Try the curl there. That will just prove whether the box can reach the up2date servers and therefore if the underlying problem is outside the box.
No, I can't think of anything that would be blocking traffic. The XG is properly routing data from the internet to/from the LAN for all of the clients , so I don't see why it wouldn't be able to update itself.
Here's what I get with curl now:
SFVH_SO01_SFOS 17.0.6 MR-6# curl us-west-2.u2d.sophos.com
curl: (7) Failed to connect to us-west-2.u2d.sophos.com port 80: Connection timed out
However, from the same command line, I am able to ping sophos.com, and it replies ok:
SFVH_SO01_SFOS 17.0.6 MR-6# ping sophos.com
PING sophos.com (31.222.175.174): 56 data bytes
64 bytes from 31.222.175.174: seq=0 ttl=41 time=142.038 ms
64 bytes from 31.222.175.174: seq=1 ttl=41 time=141.836 ms
64 bytes from 31.222.175.174: seq=2 ttl=41 time=142.138 ms
64 bytes from 31.222.175.174: seq=3 ttl=41 time=149.432 ms
64 bytes from 31.222.175.174: seq=4 ttl=41 time=146.405 ms
64 bytes from 31.222.175.174: seq=5 ttl=41 time=142.239 ms
^C
--- sophos.com ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 141.836/144.014/149.432 ms
SFVH_SO01_SFOS 17.0.6 MR-6#
In addition to the pattern updates not working, it also won't get any firmware updates either when I try to manually check for them. Is there a place where the update servers are defined in the XG? Maybe I can try another update server?
Hi,
Try to do wget from the shell.
Better open 2 shells at the same time and perform a tcpdump.
tcpdump -ni any port 443
&
wget https://us-west-2.u2d.sophos.com/
The up2date servers a semi-dynamic, there are several of them worldwide and it should be picking the nearest one to you. You can see in that example you tried to connect to the us-west-2 server.
At this point I suspect the problem is in your network and not in the XG itself. There is nothing more than I can really help with.
Possibly others in the forum can. Or you can contact Support or your reseller. They should have experience with common networking configuration issues.
Yes, that was the problem, DNS was not configured correctly. I changed the DNS server to 8.8.8.8 on the XG, and now its getting the updated AV patterns. The curl... still gives me a 404 not found error if I run it from the shell, but I guess that doesn't matter now.
Yes, that was the problem, DNS was not configured correctly. I changed the DNS server to 8.8.8.8 on the XG, and now its getting the updated AV patterns. The curl... still gives me a 404 not found error if I run it from the shell, but I guess that doesn't matter now.
So, now that I got that fixed, looks like the webpages are working now. I changed the "Web - General Settings - Action on Malware scan failure" back from "allow" to "block", and its still allowing users to browse to the https webpages.
So that's great, thanks for all your help!
One follow up question... are there good procedures out there on how to get the Sophos CA onto devices like iphone and other smart phones, smart tv, amazon fire stick?
Hi,
I think manbearpig provided you with a link earlier on that covered some of the devices. I have done web searches for the apple iPhones, but can't remember the answer, same with the iPad, but the iPad didn't work correctly so I need to go back and have another try.
Of course there is another issue for visiting mobile devices that use your wifi will not have your CA, so you might need a lower strength firewall rule for them.
Ian
Personally it is the thing that I most absolutely hate this.
There are a variety of smartphones that is difficult to predict everything... Install the Sophos CA Certificate in such devices is a lost war...
If someone in this forum has found a clever way to implement that, I'm all ears.
An alternative would be to publish the CA certificate in the captive portal so you can install it in your smartphones...
From my point of view, HTTPs Decryption is always difficult for "non windows clients".
So basically everything, which is not managed by some kind of GPO or something like that.
And even on Windows Clients, there are many / couple of applications, which do not work with HTTPs Decryption because they does not trust the CA or host their own Certificate store (look at firefox).
In the most setups, the administrator just covers the windows client with HTTPs Scanning. Mobile devices are covered by Sophos Mobile. Just because most of the mobile devices are protected by the OS (iOS / Android) and only needs to be managed. To be honest, most of the time, if you block for a iPhone Page X, the user will disable wireless and start to use LTE.
This is my option, Michael Dunn Explained this in a other Thread. https://community.sophos.com/products/xg-firewall/f/authentication/105331/sex-hot-porn-video-through-facebook-or-twitter And without HTTPs Decryption, you can still see, which sites the clients try to reach.
I have an idea, but I'm not sure if it would work, because I'm no expert on SSL or anything like that.
Here is what I was thinking:
You would purchase an SSL certificate from an online CA, like GoDaddy or something like that.
You would then install that SSL certificate to the XG as per:
community.sophos.com/.../123036 a certificate authority to Sophos XG Firewall
Then when you try to use the iPhone/smart device to browse internet, etc, the device will see that the SSL certificate that the XG is using is ok because it checks its database and sees that it was issued by a trusted authority, and it will then work. So you therefore avoid having to install the certificate to each of the devices.
I don't know if https scanning would work on these devices after this, but would be interested if anyone has tried something like this.
Stop reading here:
You would purchase an SSL certificate from an online CA, like GoDaddy or something like that.
This is not possible. Or should not be possible. Public signed CA´s are build to only signed your Domain´s not all Domains in the internet.
For example, you cannot buy a CA from GoDaddy that builds you a Certificate for google.com and this certificate is trusted by all Clients in the world. This would break HTTPs and the reason for doing it. You could perform everywhere a Man-in-the-Middle attack and nobody would ever notice.
It is like LetsEncrypt. This requirement pops quite often, tbh, it would be so easy, just buy a certificate and you could even https scan the traffic of your guest network, could read the https encrypted traffic and read all the passwords etc... You may notice the issue here.
If you find a public CA, who does this, just ping me. Would love to do this kind of https scanning everywhere in the world. Just open an public Hotspot and here you go credit card information etc.
ManBearPig, you've hit upon the crux of the issue.
HTTPS (and the infrastructure around it) was built so that there is no way for a man-in-the-middle to read your data without you knowing (or giving permission).
There is no way to perform decryption while at the same time no having to install something on the user device or have a warning pop up.
In other words - a coffee shop with free wifi cannot decrypt your web traffic with your bank without you explicitly giving them permission to.
For corporate computers that are connected to active directory, there are various ways to push the CA to the computers automatically, for each browser.
For corporately managed phones, there are also ways to push the CA. I'm sure Sophos has a solution. This means the users need to install a management app of course.
The problem is BYOD phones and guest networks. The first thing that you should do is keep them off of your main corporate network. You don't want personal phone to have access to your full network, that just adds a huge security hole. They should be segregated so that they only have internet access, else any malware from a personal phone or laptop that connects can spread through your network as it has bypassed your firewall.
So we are only really talking about personal phones that you have guest wifi to allow internet access so they don't use their data plans. At that point you need to decide whether it is necessary for you to decrypt traffic. Does the benefit outweigh the cost. If someone is blocked are they likely to switch to their data plan. Is it enough to block based on the domain category or do you also need to block filetypes and antivirus everything to personal devices that are not on your corporate network?
I admittedly don't know much about all the myriad customer configurations and needs. But if you are indeed allowing unmanaged devices on your corporate network but at the same time wanting to manage their internet access, you should probably think carefully about what it is your are doing and why.
