Chrome allowing some users to bypass web filter

Hi Devon,

Thanks for choosing Sophos.

Check #1.2 and verify which FW rule ID forwards the packet for the source. Post a screenshot of the FW rule ID and the policies defined inside it. Make sure that the FW rule has HTTPS and HTTP scan enabled. 

Thanks

Hi Sachin,

I've attached the screen shots below and I've also included two rows from the packet capture, one which has rule 26 applied and the other which does not have a rule applied right below it (though that may just be me not knowing how to read it).

I've also noticed, that despite https decrypt and scan being enabled that the certificate from youtube in my chrome browser is direct from google and not a sophos mitm one.

Cheers,

Devon

sHI DevonNoonan , 

I have my doubts on the history existed and the connection was no deleted from XG appliance 

To check the connections in your network  console > system diagnostics utilities connections v4 show src_ip <ipaddress of Host machine>

Note : The firewall rule would block new connections and would not interfere with existing connections . So even with HTTP Decrytion enabled , it would resume its connection with an existing connection .

As per the policy configuration, you have added a Schedule on the Video Hosting sites and So that system might have resumed an existing connection with the same session ID.

Could you test by deleting the connection during the Scheduled time by using the command  Console>system diagnostics utilities connections v4 delete src_ip <ipaddress of host machine>

I would like to add an information , Youtube/ Google/apps related to google uses QUIC protocol that would operate on UDP : 443 and is applicable to Google Chrome. If you use any other browser then the connection would work on  TCP : 443. I would suggest you to create a Rule to Drop UDP: 443 . So the sessions  would be diverted to TCP 443 . 

Thanks and Regards 

Aditya Patel | Network and Security Engineer.

Hi Aditya,

Dropping UDP:443 traffic did the trick, regardless of any already open connections! Now I just have to figure out if there is a way to filter out certain types of videos instead of all of youtube.

Thanks for the help!

Hi Devon,

I am having the same problem. How did you manage to setup the firewall rule to drop UDP port 443 traffic?

Thank You!

You can create a UDP HTTPs definition and then create a policy to drop udp 443 traffic. Make sure that the blocking policy is applied BEFORE the allowed policy. I am using v16 so my screen may look different.

On a side note, its generally considered good practice to ONLY ALLOW PROTOCOLS that you need and not use ANY ANY firewall policies.

You can create a UDP HTTPs definition and then create a policy to drop udp 443 traffic. Make sure that the blocking policy is applied BEFORE the allowed policy. I am using v16 so my screen may look different.

On a side note, its generally considered good practice to ONLY ALLOW PROTOCOLS that you need and not use ANY ANY firewall policies.

You can create a UDP HTTPs definition and then create a policy to drop udp 443 traffic. Make sure that the blocking policy is applied BEFORE the allowed policy. I am using v16 so my screen may look different.

On a side note, its generally considered good practice to ONLY ALLOW PROTOCOLS that you need and not use ANY ANY firewall policies.

Thank you, Billybob! The firewall is now working perfectly.

Encrypted UDP 443 traffic to Google is now recognized as QUIC and can be block with a check box in each individual Sophos XG firewall rule.

Before this option in v.17 I used to create a "Block Google QUIC" rule at the top of my firewall rules to drop all UDP 443 traffic.