Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 597 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Please explain this odd diagnostic tool behaviour.

rfcat_vk

Hi folks,

I have another thread which the  issue has been resolved about accessing coles.com.au.

I can now access that site without any issues. I was using the policy tester during my investigations and received some strange answers which did not help with the resolution.

Policy tester results. The first is with the SSL/TLS in the selection process. The second is just the web proxy with the web policy used the access rules.

Why does the SSL/TLS cause the site to show blocked in the testing when in practice it is not blocked?

Ian



This thread was automatically locked due to age.
Parents
  • 0

    No answers, very disappointing. Today the XG started to block access to the coles.com.au site for most users, again. Testing shows DNS does not return a IPv8 address for the site which seems to be the issue. XG cannot test access to IPv6 sites which makes diagnosis very difficult.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I have identified why coles.co,.au is not accessible from some device on the local network

    Further to the diagnostic failure, the same issue occurs with otthe websites, so there is a bug in the diagnostic tool.

    Ian

    update on connection issue. Disable the wifi for awhile seems to work on most devices.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I am not able to follow you:
    The policy tester can do the web proxy rules and the firewall rules. 

    You do not have a matching Firewall rule for this traffic. Should there be one firewall rule? 

    Because proxy is simply testing itself, solely on the base of "what would the proxy say". 

    If you are getting a blocked page, this would be fine, as this is the expected behavior, due no firewall rule in place. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The issue is there is a firewall rule. I understand what you are asking and see the error of my question.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    But an TLS Rule will not allow anything? So can you show us your Firewall Rule, which should allow this? 

    You are referring to an issue, your firewall rule is not reflected? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I don't have any general access SSL?TLS rules, only a couple for specific devices that do not object to SSL/TLS inspection.

    The firewall rule using the web proxy works correctly.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    First of all: TLS/SSL Scanning is not involved in this situation. 
    The policy tester simply says, your IP has no matching firewall rule for WAN (This particular WAN IP).

    If you browse from this IP to the particular WAN IP, do you see a logviewer entry? Can you show us this logviewer entry? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    You hit the nail on the head, that is the issue I am trying to debug as to why the traffic never gets to the firewall. I thought I had the iissue identified but no and i am no closer to working out why it is failing.

    I originally thought is was safari and apple wifi, so I change APs, different manufacturer, different SSID and password still failure. I tried direct connection that worked with firefox, now having changed to a larger switch to provide sufficient physical connection I still get failures.

    At the moment my wife's mac air has connection to the site using firefox, she needs access to do the online shopping. When it does connect it uses IPv6.

    So annoying. Tomorrow I will try a direct connection without the XG being involved.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to LuCar Toni

    You hit the nail on the head, that is the issue I am trying to debug as to why the traffic never gets to the firewall. I thought I had the iissue identified but no and i am no closer to working out why it is failing.

    I originally thought is was safari and apple wifi, so I change APs, different manufacturer, different SSID and password still failure. I tried direct connection that worked with firefox, now having changed to a larger switch to provide sufficient physical connection I still get failures.

    At the moment my wife's mac air has connection to the site using firefox, she needs access to do the online shopping. When it does connect it uses IPv6.

    So annoying. Tomorrow I will try a direct connection without the XG being involved.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Children
Unfiltered HTML