Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 27 subscribers
  • Views 1078 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy Quota not working with DPI

ChriZathens

Hello!

I set a web category (Games) to be accessible only for 1 hour per day.

I run a policy test and I get the correct result:

If I go to the firewall rule that has this policy and check the option "Use web proxy instead of DPI engine", all seem to work as expected.

When the machine tries to access the website they get the expected block page with the option to use some of this quota

 

However, if I don't have the option checked and use the DPI engine, there is no option to use the quota:

Is this the expected behaviour? When I use the web proxy, the kids can select the amount of minutes they want to use and are able to enter roblox, however when they try to launch a game the following error appears and the game does not load.

I have tried various options, put exceptions, but haven't been able to get around this issue. The only thing that seems to work is to add an exception for roblox and skip policy checks. But since kids access roblox 99% of the time, then it would make the quota totally pointless. Log viewer shows nothing regarding this error.

This does not happen when DPI is used, though..

Any help would be much appreciated. I don't mind using the web proxy, of course, as long I can get around the issue that occurs when the game tries to load..

Can you please help????



This thread was automatically locked due to age.
Parents
  • +1

    Hi Chris,

    I was hoping to answer your other request. DPI does not review UDP traffic and does not manage WEB or application control to the detail that the proxy does.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thanks a lot for your answer Ian!

    So basically I have to keep using the web proxy. However with the web proxy, I have the error mentioned above and roblox games fail to load.. Disappointed

    Any clues to how I can find what is causing this error? If I can find this, then the problem is solved! 

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)
Reply
  • 0 in reply to rfcat_vk

    Thanks a lot for your answer Ian!

    So basically I have to keep using the web proxy. However with the web proxy, I have the error mentioned above and roblox games fail to load.. Disappointed

    Any clues to how I can find what is causing this error? If I can find this, then the problem is solved! 

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)
Children
  • 0 in reply to ChriZathens

    Can anyone offer any insight regarding trying to find where the issue comes from?

    The only thing I could find is this page https://en.help.roblox.com/hc/en-us/articles/115005744663

    There is says "Note: The experience launch (clicking the Play button) currently does not support proxies, so please also allow: assetgame.roblox.com" 

    But even if I put assetgame.roblox.com in the exception list I still get the same error. And if I add all addresses listed in that page it works, however then roblox does not get blocked at all (so the time quota I set on the policy does not apply)

    Any ideas welcome Slight smile

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)
  • 0 in reply to ChriZathens

    Hi Chris,

    you weil need to create a rule allowing the application through with the IDS and application enabled with your allowed time policy, this will need to be at the top of your firewall list.

    Next you will need another firewall rule with the application blocked and the not allowed time policy immediately after the the above rule.

    The destination is both case will be the game server fqdn.

    The reason for both rules is to stop the PCs searching for other rules that allow the game connection.

    You will need to add the block game policy to all other firewall rules.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Apologies, Ian but I am not entirely sure I understood

    I already have a rule. Ok I can move it on top. However on the rule itself in appcontrol I have set it to none, so no applications are being blocked.

    The allowed time policy is not something I can adjust from the rule, it is set in the web policy. Unless you mean the option "During scheduled time" which is set to all time in weekdays. But this is not something I need to adjust. I don't want the rule to allow games on a specific timeframe. I want the rule to allow games for one hour every day.

    Please let me know if I misunderstood .. Disappointed

    ALSO: What I additionally realized is that even if I set the policy to allowed and not to quota, the fact that I have checked to use the web proxy does not allow the game to load..

    So to recap: (For now I moved the rule that includes the kids web policy on top)

    In Kids Policy I have added the category Games and Gambling.

    If I have this category allowed and I use the DPI all is working as it should

    If I have this category allowed and I use the Web Proxy instead, the game fails to load  with the below error

    If In the web policy I set it instead of allow to quota and use the web proxy, I get the block page where I am asked to select how much quota I want to use. I select 10 minutes and proceed and then it correctly redirects to roblox webpage. But of course clicking on Play, will bring again the above error (since it does that anyway even if if the category Games is allowed) 

    If I switch to DPI before the 10 minutes have expired, I can now play without error.

    If the 10 minutes pass and I want to enter roblox again (still having DPI in use) I get a block page and not the option to use some more of my quota.

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)
  • 0 in reply to ChriZathens

    So to add to my previous post:

    If the Firewall rule is using the web proxy instead of DPI, even if the category Games is allowed, roblox fails to load.

    If I can manage to figure out what in the web proxy causes roblox to fail it will be a good step forward.

    (Creating an exception for the game server fqdn in Web filter will work only if I have marked to skip the policy check. But then, even if I set the category to blocked, roblox will still open since it will be skipped by the policy in exceptions)

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)
  • 0 in reply to ChriZathens

    Since my original question about quote with DPI is already answered I believe I should create yet another question, since it seems that the actual problem is that roblox is not working via web proxy.

    ian, thanks for your help!

    Marking your original answer as the one Slight smile

     
    Sophos XG Home Licence.

    Machine: Barracuda F12 appliance (Intel Celeron N3350 CPU, 6GB Ram, 80GB sata SSD)
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?