Full URL accessed

Hi Kevin,

I was able to successfully view a full URL by running a custom report, select "Detail" then "URL". The view isn't friendly so you'll want to export it out to CSV to get the full URL.

I hope this helps.

Cheers,

Ben

Hi Ben,

Thanks for your reply.

To give some much needed details to others trying to view the full URL a user accessed you need to do the following

1. Create a new firewall rule or edit an exciting rule, there are Pros and Cons that I will explain in a minute. In your firewall rule scroll down to Malware Scanning and enable Decrypt Scan HTTPS. This will make the firewall replace all incoming SSL/TSL security certificates with the firewall's security certificate. This is needed so the firewall can decrypt the HTTPS traffic. Now for those Pros and Cons. Some sites validate that you are using their security certificates. This is to help prevent Man in the Middle attacks. The Sophos firewall substituting the security certificates is functioning as a Man in the Middle and will cause some web sites that check to not load. To work around this you will have to put the firewall's security certificate (you can use a 3rd party commercial certificate or an AD certificate) on the machines you are going to decrypt HTTPS on. This isn't hard on Windows PCs but I'm note sure for Macs, smart phones, or other devices that run on your network. You will also need to check Log Firewall Traffic on the rule as well.

2. Click on Certificates found on the left side of the web administration console. This is where you can manage your firewall's security certificates. I never found a way to export the firewall's ApplianceCertificate. This is the certificate you need to install on machine that you will be doing HTTPS decryption. To get the certificate I used a Windows 7 VM that had Internet Explorer 9 installed. I then went to www.youtube.com (YouTube actually checks to se if you have the right certificate) waited to get the security certificate error, and clicked to view the security certificate. This will give you the option to import the security certificate in to your machines certificate stores. If you take the defaults the certificate will end up in Personal store for the use who is logged in to the machine. The certificate need to be in Trusted Root Certification Authorities. If you want the certificate to be used by all users on the computer you need to put the certificate in Trusted Root Certification Authorities for the computer account. You will need to do this for every computer that you want to Decrypt HTTPS on.

This is far more complicated than it needs to be just to see where a user is really going not just the domain name.

Hi Ben,

Thanks for your reply.

To give some much needed details to others trying to view the full URL a user accessed you need to do the following

1. Create a new firewall rule or edit an exciting rule, there are Pros and Cons that I will explain in a minute. In your firewall rule scroll down to Malware Scanning and enable Decrypt Scan HTTPS. This will make the firewall replace all incoming SSL/TSL security certificates with the firewall's security certificate. This is needed so the firewall can decrypt the HTTPS traffic. Now for those Pros and Cons. Some sites validate that you are using their security certificates. This is to help prevent Man in the Middle attacks. The Sophos firewall substituting the security certificates is functioning as a Man in the Middle and will cause some web sites that check to not load. To work around this you will have to put the firewall's security certificate (you can use a 3rd party commercial certificate or an AD certificate) on the machines you are going to decrypt HTTPS on. This isn't hard on Windows PCs but I'm note sure for Macs, smart phones, or other devices that run on your network. You will also need to check Log Firewall Traffic on the rule as well.

2. Click on Certificates found on the left side of the web administration console. This is where you can manage your firewall's security certificates. I never found a way to export the firewall's ApplianceCertificate. This is the certificate you need to install on machine that you will be doing HTTPS decryption. To get the certificate I used a Windows 7 VM that had Internet Explorer 9 installed. I then went to www.youtube.com (YouTube actually checks to se if you have the right certificate) waited to get the security certificate error, and clicked to view the security certificate. This will give you the option to import the security certificate in to your machines certificate stores. If you take the defaults the certificate will end up in Personal store for the use who is logged in to the machine. The certificate need to be in Trusted Root Certification Authorities. If you want the certificate to be used by all users on the computer you need to put the certificate in Trusted Root Certification Authorities for the computer account. You will need to do this for every computer that you want to Decrypt HTTPS on.

This is far more complicated than it needs to be just to see where a user is really going not just the domain name.

Hi Kevin,

On the security certificate, it's a slight UI bug and the Download Certificate Button is hidden. When you go to System > Certificates > Certificate Authorities you have to side scroll to the right to see the download button. You can then use the SecurirtAppliance_SSL.PEM to push out the certificate via group policy or any other deployment method you have.

Glad to hear you're up and running!

Cheers,

Ben