This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS116: Website does not load correctly

Hello

We have 2 Sophos XGS 116 and one website is not displayed correctly.
The main.css file does not download or can't be encoded.

I have created a ticket and already had a troubleshooting session with someone from Sophos. So far, we can't workaround the issue.
Does anyone have a clue on what is wrong on the XGS or is someone able to reproduce on their product?

We've tested the access also with other models, and there it works:

Location 1: XGS116 (SFOS 19.0.0 GA-Build317) -> not working
Location 2: XGS116 (SFOS 19.0.1 MR-1-Build365) -> not working
Location 3: SFV1C4 (SFOS 19.0.0 GA-Build317) -> working
Location 4: SG210 (SFOS 19.0.0 GA-Build317) -> working

Kind regards

This thread was automatically locked due to age.

Parents

0 jprusch over 2 years ago

Do you use the webproxy? Which mode, which engine?

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 retok over 2 years ago in reply to jprusch

We have a test client and created a rule for it where no filters or anything is applied and the website does still not work. Also as mentioned above, I had already a troubleshooting session of 2 hours with Sophos where we've tested this kind of stuff.

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 2 years ago in reply to retok

Hello Retok,

Thank you for contacting the Sophos Community.

Community users don't have access to Case IDs, so JPrusch has no idea what has been or has not been troubleshot, so if in your description you don't provide this information any community user will ask for this info, so as a TIP always mention in your description what is your configuration, settings enabled/disabled, what troubleshooting has been done, etc, that way the community can be more helpful.

I am not able to reproduce the issue on either XG116 v19.0 or v19.0 MR1.

Can you set your test firewall rule for a specific computer check the option for Web Filtering as follows:

Web Policy = Allow All

Malware and content scanning = Scan HTTP and Decrypted HTTPs

Filtering common web Ports = Select Use Web Proxy instead of DPI engine and Decrypt HTTPs during web Proxy filtering

Then from the advanced shell go to

# cd /log

# tail -f awarrenhttp_access.log | grep 192.168.200.10

(substitute the IP for the Test PC IP, open an incognito window, close all other windows, and access the website)

The log should start to fill, once it stops filling press Ctrl + C

Then check all of the URL, most likely you will need to create exceptions for each one: (Check Bold)

1662406275.625340228 [11851/0x7fd52b2a4c00] fwid=27 fwflag="VS" iap=1 aap=0 conn_id=2298325504 id="0001" name="http access" action="pass" method="POST" srcip="172.16.15.100" dstip="18.157.195.189" user="nucbox" statuscode=200 cached=0 trxlen=9436 rxlen=1506 url="https://collect-eu-central-1.tealiumiq.com/zurich-insurance/main/2/i.gif" referer="">https://www.zurich.ch/" type="image/gif" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=168 avscantime=1674 fullreqtime=625054 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" activity="" av_transaction_id="" categoryname="Information Technology" category="29" app_id=0 app_name="None" app_cat="None" exceptions="" sandbox="off"

Also, make sure if you have more than one Public IP they’re not overlapping in different interfaces and if you have add them as Alias (correct way) t hey are set as 255.255.255.255

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 emmosophos over 2 years ago in reply to retok

Hello Retok,

Thank you for contacting the Sophos Community.

Community users don't have access to Case IDs, so JPrusch has no idea what has been or has not been troubleshot, so if in your description you don't provide this information any community user will ask for this info, so as a TIP always mention in your description what is your configuration, settings enabled/disabled, what troubleshooting has been done, etc, that way the community can be more helpful.

I am not able to reproduce the issue on either XG116 v19.0 or v19.0 MR1.

Can you set your test firewall rule for a specific computer check the option for Web Filtering as follows:

Web Policy = Allow All

Malware and content scanning = Scan HTTP and Decrypted HTTPs

Filtering common web Ports = Select Use Web Proxy instead of DPI engine and Decrypt HTTPs during web Proxy filtering

Then from the advanced shell go to

# cd /log

# tail -f awarrenhttp_access.log | grep 192.168.200.10

(substitute the IP for the Test PC IP, open an incognito window, close all other windows, and access the website)

The log should start to fill, once it stops filling press Ctrl + C

Then check all of the URL, most likely you will need to create exceptions for each one: (Check Bold)

1662406275.625340228 [11851/0x7fd52b2a4c00] fwid=27 fwflag="VS" iap=1 aap=0 conn_id=2298325504 id="0001" name="http access" action="pass" method="POST" srcip="172.16.15.100" dstip="18.157.195.189" user="nucbox" statuscode=200 cached=0 trxlen=9436 rxlen=1506 url="https://collect-eu-central-1.tealiumiq.com/zurich-insurance/main/2/i.gif" referer="">https://www.zurich.ch/" type="image/gif" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=168 avscantime=1674 fullreqtime=625054 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" activity="" av_transaction_id="" categoryname="Information Technology" category="29" app_id=0 app_name="None" app_cat="None" exceptions="" sandbox="off"

Also, make sure if you have more than one Public IP they’re not overlapping in different interfaces and if you have add them as Alias (correct way) t hey are set as 255.255.255.255

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 retok over 2 years ago in reply to emmosophos
Hello Emmanuel

You are right, I could have provided more details.

Checked the firewall rule.

Checked the policy test and PCAP and traffic was allowed through Rule 57

Checked with and without web proxy and decrypt Https traffic.

Checked the interface configuration.

Checked the Conntrack and verified that the traffic is passing through the correct rules.

Checked the TCPDUMP and verified that the MTU and interface was correct.

Checked the Wireshark PCAP.

Checked the drop packet capture and there was no drop.

Checked with the URL exception and allowed the URL in the web policy as well as tried with the FQRN host in the firewall rule.

Checked the log viewer and it was allowing the traffic as per the web policy.

Checked the Awarrenhttps logs.

Cleared the conntrack for the source user.

I can try what you have written above. But from my understanding, if I create a rule where no filter is applied, I wouldn't need to create any exceptions as nothing should be blocked / filtered.
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 2 years ago in reply to retok

Hello there,

I believe the Proxy or DPI might be affecting this, so I would recommend you to also disable the DPI engine, as a test.

Protect >> Rules and Policies >> SSL/TLS inspection rules >> SSL/TLS inspection settings >> Advanced Settings >> Disable

When you don't select any option in the Firewall Rule the DPI runs by default, so this is the one that might be actually causing the issue.

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel