Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 856 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sophostest.com not blocked in webfilter

LHerzog

I wonder why this is never blocked on our XG. Any idea?

https://sophostest.com/adult/index.html

No Exceptions fot this FQDN

This Firewall rule applies. Which has no Webfiltering enabled. I wonder to which host sophostest.com belongs?

Probably the IP I'm resolving also belongs to one of those many Sophos Exception Hosts.

nslookup

> set type=any
> sophostest.com

sophostest.com  internet address = 65.9.68.75
sophostest.com  internet address = 65.9.68.96
sophostest.com  internet address = 65.9.68.15
sophostest.com  internet address = 65.9.68.57

Also wondering why Intercept X is not blocking this also.

Would be probably better if you place this host on a cloud server that is not providing updates to your security products.



This thread was automatically locked due to age.
  • 0

    Can I check with some command to which hostname the XG firewall has resolved/cached the IP 65.9.68.75.xx?

    like ipconfig /displaydns on windows?

  • 0

    Hi,

    From the first picture your not applying TLS Decryption (Certificate is signed by Amazon.), since the connection from your browser to sophostest is fully encrypted, the only thing the firewall can see is the SNI.

    In order for the firewall to see the content and the URL Path, you will need to Decrypt the traffic. And I believe sophostest.com isn't in a predefined TLS Exclusion list, so you shouldn't have any issues after creating a TLS Decrypt Rule.

    Thanks!

  • 0 in reply to Prism

    Hi, I wrote that the request is matched by sophos central exceptions in firewall rules without DPI / proxy / webfiltering.

    So from my understanding it can only match by the DST IP of sophostest.

  • 0

    I can understand the client perhaps not blocking it as it's a bit of an odd case really. I.e, one domain classified in many buckets based on sub pages.

    If you access it with HTTP then I would expect the EP to classify it correctly.  If you access it with HTTPS, then only the domain name is seen at the EP which it gets from the SNI.  As sophostest.com itself isn't classified as you expect it will not be picked up.  You would need to be doing SSL inspection to observe the /adult/index.html part of the url.