Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 29 subscribers
  • Views 8330 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How Can I Disable All Filtering?

WrlsFanatic

I've used Sophos UTM Home happily for the last three years, but the 50-IP limit was becoming problematic. I switched to XG last night, and it's been a disaster. While the initial setup was a breeze, nothing in my network is working. Netflix and Hulu are dead again, and while I found a post suggesting fixes - here: https://community.sophos.com/products/xg-firewall/f/web-protection/74689/web-content-filtering-breaks-hulu-and-netflix - those exception rules won't take. The system is also blocking SMTP despite me trying to turn it off.

I just need to turn off all filtering for now so that I can function while I learn how to only filter what I want to filter. I'm hoping I don't just have to delete every rule in the system as that will require me to build everything from scratch later. I'm hoping for a set of switches or an allow any / any type of rule that will turn them off. Thanks in advance for any help!



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    XG is not a disaster, you need to think differently on how you set it up. If you want to turn off all filtering, why have a sophisticated firewall why not just get a cheap router.

    If you want to allow SMTP traffic without scanning you need to either delete your mail rule and add a network rule which allows smtp traffic without scanning.

    Perhaps you need to delete all your rules and start again with some logic to them.

    At the top is your mail smtp rule

    followed by your allowed out rule specific eg build a netflix and hulu site

    followed by your general rule.

    You will need to create policies in both web and application to get the benefits of the XG.

    Ian

  • 0 in reply to rfcat_vk

    Sorry, I meant to say that this process has been a disaster. I corrected my wording. I LOVE XG versus UTM. It seems much more obvious to configure in most ways, but I can't figure out its filtering. For example, you're saying to "delete your mail rule and add a network rule which allows smtp traffic" but there are entries all over the place.

    Also, you say to build an allowed out rule for netflix and hulu, but as I said, I tried putting in the rules in that other post that I linked to above and it doesn't work. Under Web -> Exceptions I click "Add Exception". I give it a name and check the box next to URL Pattern Matches. Then I type in, for example:

    ^https?://secure\.netflix\.com/*

    But when I click +, it says "You must enter a valid domain name". But... I'm putting in a URL pattern, not a domain name. What's the deal?!

  • 0 in reply to WrlsFanatic

    Most likely your Regex is invalid. 

     

    I always use the predefined regex and just tweak the domain part. 

    ^https?://secure\.netflix\.com/*

    ^([A-Za-z0-9.-]*\.)?apple\.com\.?/

     

    And there are two ways to build a bypass.

    https://community.sophos.com/kb/en-us/128173

  • 0 in reply to LuCar Toni

    HI,

    I think LuCar has sorted out your REGEX issue.

    Next issue

    Mail.SMTPS as a home user I gave up on scanning it using the business rule. My wife's insistence on using MS-outlook was a disaster from my point of view, MAC mail on both machines works fine. I also gave trying to get SMTPS scanning to work on the iPad and the iPhones, too much like hard work for no real security gain. So I use an outgoing rue for SMTPS  which I must tighten up. All our accounts are imaps based so I can use the business rule to scan maps and I also link the outgoing rule to the FQDNs of the ISP mail servers. Again the iPad and iPhones are not scanned, sightly risky but will be picked up when the mail is scanned coming through the other rule.

    I have rules for my VoIP devices that only allow SIP and point at the ISPs SIP servers with both web and application policies setup for VoIP. With higher priority.

    I have an IoT device which has its own SSID and firewall rule again linked to the devices home site, scanned.

    I have a slightly open rule with limited protocols for the iPad and iPhones and even the android when it is on.

    I have number of exceptions for various sites, facebook, apple (though it doesn't work and needs more investigation, WhatsApp and some of my wife's sites for her hobbies.

    I also have a couple of blocks for some applications that call home when I don't think they need to.

    Overall with only IP4 active at the moment I have 30 clientless user addresses.

    If I can help or anyone in the forum can help with things you have trouble with please ask.

    XG home user maximum values are 4 CPUs (preferable real) and 6gb of ram.

    Ian

    Also I have many years of UTM experience before moving to the XG.

  • 0 in reply to LuCar Toni

    OK, so I put exactly that in and I'm still getting the error. What am I missing? I have to be in the wrong place, right?

     

  • 0 in reply to WrlsFanatic

    Hi,

    you misread his post. What he was advising is you take your information and change the apple regex he posted.

    ^([A-Za-z0-9-.]   etc instead of apple you use netflix.

    Ian

  • 0 in reply to rfcat_vk

    Ah, OK. But I would still like to understand what the issue is. In that screen, on that page in the XG UI, can I not start a site with ^http or ^https? Can someone post even one line item that they have currently deployed into that field that starts with those strings that works?

  • 0 in reply to WrlsFanatic

    HI,

    ^http[A-Za-z0-9]\.com/

    I don't know what it would block, but it is a string you asked for.

    Ian

     

    I have read a number regex tutorials looking specifically for the : but it  odes not get a mention, so I suspect that the :// actually masks the next character group until it hits the \ delimiter which cause the invalid domain error.

     

    why don't you just use the URL without regex?

  • +1 in reply to WrlsFanatic

    WrlsFanatic said:

    Also, you say to build an allowed out rule for netflix and hulu, but as I said, I tried putting in the rules in that other post that I linked to above and it doesn't work. Under Web -> Exceptions I click "Add Exception". I give it a name and check the box next to URL Pattern Matches. Then I type in, for example:

    ^https?://secure\.netflix\.com/*

    But when I click +, it says "You must enter a valid domain name". But... I'm putting in a URL pattern, not a domain name. What's the deal?!

     

     

    In UTM the string you match against includes the protocol, so you can write regex with the protocol (eg http://)

    In XG the string you match against does not include the protocol, so you should not have the protocol in the RegEx.  Although your RegEx is valid, there is an extra check to prevent any RegEx that include a protocol.

    So if your UTM RegEx is this:

    ^https?://secure\.netflix\.com/*

    The same XG RegEx is this:

    ^secure\.netflix\.com/*

     

    This is just one of the gotchas when upgrading from UTM to XG.

  • 0 in reply to Michael Dunn

    Michael Dunn said:

    In UTM the string you match against includes the protocol, so you can write regex with the protocol (eg http://)

    In XG the string you match against does not include the protocol, so you should not have the protocol in the RegEx.  Although your RegEx is valid, there is an extra check to prevent any RegEx that include a protocol.

    So if your UTM RegEx is this:

    ^https?://secure\.netflix\.com/*

    The same XG RegEx is this:

    ^secure\.netflix\.com/*

     

    This is just one of the gotchas when upgrading from UTM to XG.

    PERFECT! Exactly what I wanted to know! THANK YOU SO MUCH!

Reply
  • 0 in reply to Michael Dunn

    Michael Dunn said:

    In UTM the string you match against includes the protocol, so you can write regex with the protocol (eg http://)

    In XG the string you match against does not include the protocol, so you should not have the protocol in the RegEx.  Although your RegEx is valid, there is an extra check to prevent any RegEx that include a protocol.

    So if your UTM RegEx is this:

    ^https?://secure\.netflix\.com/*

    The same XG RegEx is this:

    ^secure\.netflix\.com/*

     

    This is just one of the gotchas when upgrading from UTM to XG.

    PERFECT! Exactly what I wanted to know! THANK YOU SO MUCH!

Children
No Data