Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 27 subscribers
  • Views 4630 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

classification silliness and odd behaviour.

rfcat_vk

Recently I received my phone invoice. Now  normally I would click on  link in the message and be taken to the login page, not today.

The classification of the site had changed.

Now comes the silliness

1/. telstra.com

2/. my.telstra.com

are both classified as IT.

3/. telstra.com.au

4/. my.telstra.com.au

are classified as general business.

I can connect to items 3 and 4, but not 1 and 2. If I add an exception with the web and it doesn't matter if regex or url I still cannot connect to 1 or 2. Now if I use a hotspot instead of the XG I can connect to all 4 items and items 1 and 2 redirect me to items 3 and 4.

Two issues that need to vie addressed by Sophos

1/. classification errors? This problem is only recent.

2/. why the web exception doesn't work? Possibly because the site has both IPv6 and IP4?

Ian

 

Just to make the investigation more fun, there appears to be bug in mojave safari, presents with a blank page.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to sachingurung

    Hi Sachin,

    thank you for looking.

    The easy part, exception.

    I will investigate the other items.

    Ian

    Extra info, PCAP shows the site access is via IPv6 which I know web exceptions do not work. I have another thread on the subject about IPv6. I cannot add FQDN as an exception  and there are too many iP addresses to add a IP lists.

  • 0 in reply to rfcat_vk

    How about adding an exception policy based on category? Instead of using the default categories, create a new web category and add the necessary URLs and FQDNs!

    Let me know if that works. To be honest, I am not aware about the web exceptions not working with IPv6 issue, could you please redirect me towards the source where you received this information?

    Thanks,

  • 0 in reply to sachingurung

    Hi Sachin,

    the source is me after extensive testing. You cannot use FQDNs in IPv6, the feature has not been included yet and in theory will be available in XG v18.

    I will try the category blocking and see what happens.

    Thank you for the suggestion.

    Ian

    To make sure I wasn't making a mistake in my testing I used the hotspot again, but the difference is the hotspot is IP4 and works with Safari and FF on the MAC.

    Back on the XG, FF is picking up the redirection as a result of the exception (category) using IPv6 but Safari fails.

    I will do further testing on a W10 machine shortly.

     

    W10 testing. Does not work with W10 using IE. The site shows up as an IPv6 address.

  • 0 in reply to rfcat_vk
    Is there a reason you are blocking Information Technology?  Although I agree that the sites should probably be classified the same, IT and General Business are usually treated the same.  Classification differences like this are low priority.
     
    I know of no issue with IPv6 and exceptions.  I don't have an IPv6 setup handy to test.  Can you give me any more details or a simplified case?
     
    Difference between browsers tend not to be caused by the proxy.  Make sure all are connecting direct/transparent the same way.
     
     
  • 0 in reply to Michael Dunn

    Hi Micheal,

    I am not blocking IT, the issue occurs if I remove any checking and change the setting in web and application to allow all.

    After a restart of the MAC overnight, safari does not show any signs of connecting, FF does a redirect to the .au IPv6 address but never actually connects which is the same for W10 and IE. All waiting for the site to reply. None of the browsers are setup to use the proxy.

    From my testing with speedof.me I had to use web categories because URL exceptions did not work. Also I had to add IP addresses in the firewall rule because IPv6 does not support FQDN, thankfully speedof.me only had 3 IPv6 addresses.

    Ian

  • 0 in reply to rfcat_vk

    Hi Micheal,

    Today, while my wife was out I removed IPv6 from my XG. Removing IPv6 is not just turning off IPv6 in external and internal networks, it also means manually deleting IP groups and IP, Clientless users with IPv6 address and finally IPv6 rules. Also removed the telstra.com exceptions, simplified the speedof.me exception (both speedof.me and speediest.net).

    After all that the MBP and W10 machines all redirected telstra.com to telstra.com.au. The speedtest.net did not fail with a latency error.

    So in summary from my point of view something in XG IPv6 is not correct eg does not work correctly.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    Did you try configuring a plain firewall rule with filters set to NONE, and defining wildcard FQDNs in it? This way you will bypass the web proxy. Let us know if that works. 

    Thanks, 

  • 0 in reply to sachingurung

    Hi Sachin,

    At the moment without IPv6 enabled all sites are working correctly. I have no need for a web bypass for the telstra.com etc

    When IPv6 is active you cannot include FQDNs in the firewall rules, they are not supported until v18.

    Regards

    Ian

  • 0 in reply to rfcat_vk

    I confirmed this information and yes, FQDN is yet to be supported for IPv6. 

    Thanks,