Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Subscribers 29 subscribers
  • Views 4762 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos is blocking whatsapp even though there is no webfilter or application filter is applied

Alumco SAL

We just upgraded our hardware device from Cyberoam to Sophos XG 106(SFOS 18.0.3 MR-3), everything seems to work except that Sophos is blocking Whatsapp. I tried everything from disabling https scanning & disabling pharming protection. I even created a custom rule to allow Whatsapp based on URL and IP address but still no success. The log viewer doesn't show any blocked traffic because i enabled all the traffic. The website opens without issue but the QR code keeps loading and the desktop version doesn't work.



This thread was automatically locked due to age.
  • 0

    Hello Alumco,

    Thank you for contacting the Sophos Community!

    I am moving this thread to the XG Group as it was posted in the UTM Firewall Group.

    Please clarify what is being blocked? It is the application itself on the cellphones or the website?

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,

    It's not working on any device, i even created a plain firewall from Any source to Any destination and still didnt work. 

  • 0 in reply to Alumco SAL

    Hi Alumco,

    please create a firewalll at the top of your firewall list

    source LAN, network any, destination WAN, network any, service any, allow, log, web use proxy also all application allow all.

    This assumes you have only 1 NAT rule at that is the default?

    Then connect to the application and review the logviewer files for web, application, IPS as well as the firewall tab?

    Then please post a copy of the error the users are receiving when attempting to connect.

    Ian

  • 0 in reply to rfcat_vk

    Hello,

    I created the rule as you requested, everything is working except whatsapp. The log doesnt show any denied traffic all green.

    Time Log comp Log subtype Firewall rule NAT rule Message Message ID Rule type Live PCAP Src IP Src port Dst IP Dst port In interface  Out interface  Protocol Username IPS policy ID Application
    04/12/2020 9:44 Firewall Rule Allowed 10 2 1 1 Open PCAP 192.168.10.191  64136 157.240.196.60 443 Port1 TCP salim.zeidan@alumcogroup.com 0 WhatsApp Web
    04/12/2020 9:44 Firewall Rule Allowed 10 2 1 1 Open PCAP 192.168.10.191  64135 157.240.196.60 443 Port1 TCP salim.zeidan@alumcogroup.com 0 WhatsApp Web
    04/12/2020 9:44 Firewall Rule Allowed 10 2 1 1 Open PCAP 192.168.10.191  64133 157.240.196.60 443 Port1 TCP salim.zeidan@alumcogroup.com 0 WhatsApp Web
  • 0 in reply to Alumco SAL

    Hi,

    what about the web and application logs. Does the GUI ips show any values?
    ian

    sounds to me more like you are using dpi instead of the web proxy?

  • 0 in reply to rfcat_vk

    Hi,

    The IPS doesnt' show any value, the web land the application logs doesnt show any denied traffic either.

  • 0

    I don't know how to translate this into SFOS 18, but on my XG running SFOS 17.5, I had to create a firewall rule to open TCP port 5222 and also had to create a web exception for 'https decrypt and scan' for ^[A-Za-z0-9.-]*\.whatsapp\.com/ and ^[A-Za-z0-9.-]*\.whatsapp\.net/ to get What's App to run.

  • 0 in reply to Brian1941

    I did the same and still nothing, i even included all the web categories in the exception of https decrypt and scan. 

  • 0 in reply to Brian1941

    Is the below log belong to whatsapp traffic?

    Log comp Log subtype Firewall rule NAT rule Message Message ID Rule type Live PCAP Src IP Src port Dst IP Dst port
    Invalid Traffic Denied N/A 0 Could not associate packet to any connection. 1001 0 Open PCAP 35.241.25.170 5222 195.112.215.122 42437
    Invalid Traffic Denied N/A 0 Could not associate packet to any connection. 1001 0 Open PCAP 35.241.25.170 5222 195.112.215.122 42437
    Invalid Traffic Denied N/A 0 Could not associate packet to any connection. 1001 0 Open PCAP 35.241.25.170 5222 195.112.215.122 42437
    Invalid Traffic Denied N/A 0 Could not associate packet to any connection. 1001 0 Open PCAP 35.241.25.170 5222 195.112.215.122 42437
    Invalid Traffic Denied N/A 0 Could not associate packet to any connection. 1001 0 Open PCAP 35.241.25.170 5222 195.112.215.122 42437
    Invalid Traffic Denied N/A 0 Could not associate packet to any connection. 1001 0 Open PCAP 35.241.25.170 5222 195.112.215.122 42437
  • 0 in reply to Alumco SAL

    Hi,

    those log entries indicate that there was a  connection, but now there is no active connection.Basically the entries indicate that the packets do not match any firewall rule.  Also that traffic is incoming, your issue I thought was outgoing.

    Ian