Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 596 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall Web Filter

Daniel Hargrove

Hi.

We have a number of new Sophos XG Firewalls and we are experiencing issues with the Web Filtering aspect as in, it just will not work. 

Here is an example of a setup at one of our sites. At this site the below has been configured to allow a residents network with internet access. The devices that connect to this network are BYOD and we have no control over these. 

Zone = Resident LAN 

Zone Options Selected = DNS / Ping / Web Proxy 

Firewall Rule = Resident LAN Internet Access

Firewall Rule Details = 

> Source Zone: Resident LAN 

> Source Networks: Any 

> Destination Zones: WAN 

> Destination Networks: Any 

Security Features: Web FIltering : Policy No Explicit Content (I used this as an example - We have created our own policy which contains a large number of categories)

Selected Options within Web Filtering (I am not to sure if these are correct) 

Block QUIC Protocol - Selected

Scan HTTP and decrypt HPPS - Selected

Use Web Proxy instead of DPI Engine - Selected

Decrypt HTTPS during web proxy filtering - Selected


When I connect a PC to the Resident LAN and test a number of sites which I would assume would be blocked they load without an issue. I can see the sites in question are all HTTPS which is making me think the filter cannot determine its content.

I am not to sure where in the logs to look for this type of thing. It is key that I ensure the residents networks at each of our sites is well protected which I bleieve the Sophos XG could take care of quite easily so it may be something in the configuration I have setup wrong or there may be a better way to do this. 

Any advice would be greatly apprecaited. 

Many thanks, Dan Hargrove



This thread was automatically locked due to age.
  • 0

    Hi,

    first thing is you need the XG ca installed to use https decrypt and scan.

    secondly do you have any other rules because it sounds like your tests are bypassing your desired rule?
    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian. 

    Many thanks for your response. 

    I have now got it to a point through trial and error if it appearing to block the sites. As we have no control of the resident devices I cannot install the CA Cert so it has been matter of working out what to have enabled and what not to. The issue I am not experiensing is accessing websites is very slow which I assume is the web filter checking what is wanting to be loaded. Do you have any recoomendations for best practise when setting up in this way? 

    Many thanks, Dan 

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?