decrypt and scan https is checked, and I installed the certificate to trusted root container, but no websites are working

No, I can't think of anything that would be blocking traffic.  The XG is properly routing data from the internet to/from the LAN for all of the clients , so I don't see why it wouldn't be able to update itself. 

Here's what I get with curl now:

SFVH_SO01_SFOS 17.0.6 MR-6# curl us-west-2.u2d.sophos.com
curl: (7) Failed to connect to us-west-2.u2d.sophos.com port 80: Connection timed out

However, from the same command line, I am able to ping sophos.com, and it replies ok:

SFVH_SO01_SFOS 17.0.6 MR-6# ping sophos.com
PING sophos.com (31.222.175.174): 56 data bytes
64 bytes from 31.222.175.174: seq=0 ttl=41 time=142.038 ms
64 bytes from 31.222.175.174: seq=1 ttl=41 time=141.836 ms
64 bytes from 31.222.175.174: seq=2 ttl=41 time=142.138 ms
64 bytes from 31.222.175.174: seq=3 ttl=41 time=149.432 ms
64 bytes from 31.222.175.174: seq=4 ttl=41 time=146.405 ms
64 bytes from 31.222.175.174: seq=5 ttl=41 time=142.239 ms
^C
--- sophos.com ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 141.836/144.014/149.432 ms
SFVH_SO01_SFOS 17.0.6 MR-6#

In addition to the pattern updates not working, it also won't get any firmware updates either when I try to manually check for them.  Is there a place where the update servers are defined in the XG?  Maybe I can try another update server?

Hi,

Try to do wget from the shell. 

Better open 2 shells at the same time and perform a tcpdump. 

tcpdump -ni any port 443

&

wget https://us-west-2.u2d.sophos.com/

I would investigate your XG DNS settings. Are you users using the XG as their DNS or external DNS?

Ian

The up2date servers a semi-dynamic, there are several of them worldwide and it should be picking the nearest one to you.  You can see in that example you tried to connect to the us-west-2 server.

At this point I suspect the problem is in your network and not in the XG itself.  There is nothing more than I can really help with.

Possibly others in the forum can.  Or you can contact Support or your reseller.  They should have experience with common networking configuration issues.

Yes, that was the problem, DNS was not configured correctly.  I changed the DNS server to 8.8.8.8 on the XG, and now its getting the updated AV patterns. The curl... still gives me a 404 not found error if I run it from the shell, but I guess that doesn't matter now.

So, now that I got that fixed, looks like the webpages are working now.  I changed the "Web - General Settings - Action on Malware scan failure" back from "allow" to "block", and its still allowing users to browse to the https webpages. 

So that's great, thanks for all your help!

One follow up question...  are there good procedures out there on how to get the Sophos CA onto devices like iphone and other smart phones, smart tv, amazon fire stick?

Hi,

I think manbearpig provided you with a link earlier on that covered some of the devices. I have done web searches for the apple iPhones, but can't remember the answer, same with the iPad, but the iPad didn't work correctly so I need to go back and have another try.

Of course there is another issue for visiting mobile devices that use your wifi will not have your CA, so you might need a  lower strength firewall rule for them.

Ian

Personally it is the thing that I most absolutely hate this.
There are a variety of smartphones that is difficult to predict everything... Install the Sophos CA Certificate in such devices is a lost war...
If someone in this forum has found a clever way to implement that, I'm all ears.

An alternative would be to publish the CA certificate in the captive portal so you can install it in your smartphones...

From my point of view, HTTPs Decryption is always difficult for "non windows clients". 

So basically everything, which is not managed by some kind of GPO or something like that. 

And even on Windows Clients, there are many / couple of applications, which do not work with HTTPs Decryption because they does not trust the CA or host their own Certificate store (look at firefox). 

In the most setups, the administrator just covers the windows client with HTTPs Scanning. Mobile devices are covered by Sophos Mobile. Just because most of the mobile devices are protected by the OS (iOS / Android) and only needs to be managed. To be honest, most of the time, if you block for a iPhone Page X, the user will disable wireless and start to use LTE. 

This is my option, Michael Dunn Explained this in a other Thread. https://community.sophos.com/products/xg-firewall/f/authentication/105331/sex-hot-porn-video-through-facebook-or-twitter  And without HTTPs Decryption, you can still see, which sites the clients try to reach. 

I have an idea, but I'm not sure if it would work, because I'm no expert on SSL or anything like that.

Here is what I was thinking:

You would purchase an SSL certificate from an online CA, like GoDaddy or something like that.

You would then install that SSL certificate to the XG as per: 

community.sophos.com/.../123036 a certificate authority to Sophos XG Firewall

Then when you try to use the iPhone/smart device to browse internet, etc, the device will see that the SSL certificate that the XG is using is ok because it checks its database and sees that it was issued by a trusted authority, and it will then work.  So you therefore avoid having to install the certificate to each of the devices.

I don't know if https scanning would work on these devices after this, but would be interested if anyone has tried something like this.