Web Policy and Filtering Not Working at All

David,

Can you share the firewall page with all the rule?

Thanks

Here it is.  The other Lan-to-Wan rules were added since this started, and most are currently disabled anyway.  Thanks.

Hi David,

Take a look at #1 in my guide here and verify with the help of Packet Capture that which FW-rule does the traffic forwards through.

I guess the traffic gets passed through Rule ID 25 which has no filters applied.

Thanks

Okay, some strange behavior.  I got to the client site and oddly enough the filtering was working on one PC that it wasn't working on when I tested remotely last night, but it isn't working on another.  Further examination with the capture, and the one it isn't working on has a Business Rule to access it remotely via public IP, and the webfiltering is allowing passage based on an INBOUND rule, maybe because it is reflexive.  There is no option for a business rule to do web filtering. 

The PC that is getting blocked has no unique rules for it, and is going out on the general LAN-to-WAN masquerade that other PCs are, rule 1, which has he wbe filtering policy.  Not idea why it is working this morning and not yesterday, but.....

So, despite not being sure why the PAT'd PCs suddenly work, but how do you protect devices with a business rule?

Also, from my original question, is there any way to blanket protect all devices in a zone, like in Sonicwall and others?  Doing it rule-by-rule has its place if you need the granularity, but I don't.

Thanks.

Oh yes, forgot to mention that rule 25 that you questioned was disabled, though maybe tough to see in the screen shot.  Rule 1 was the first active LAN-to-WAN.

I found on my XG230 that the only Firewall rule it would use was the first (top) and then allow everything else under it.

Seems mental as usually a Firewall would do the filter thing and pass to the next rule.

I ended up making a Web Policy and adding all the categories into it and then adding that to the Firewall Rule and it works fine.

I was told by the Sophos vendor this was by design and not a bug - not quite sure I believe him though.

I don't know if he was in error, expressed himself poorly, or you misunderstood, but firewalls universally work by principal of first match.  If traffic matches a rule, yes, it stops further comparison of rules.  Therefore, you need to have the most specific rule first for any traffic that could match more than one rule.  For instance, if you want to block host A from HTTP, you'd first have a rule to block it before any a rule allowing all others to HTTP.  If you had the rules reversed where the "allow all" to HTTP first it would stop there and allow Host A's traffic, and not get to the rule to block that specific host.  I hope that makes sense.

Thanks David,

I do understand however the XG isn't working this way.

For example, I had rule 1 to block Social Media sites (web policy) and applied to a specific User Group, then Rule 2 was a Web Blacklist of sites I dont want anyone going to, Rule 3 was to block EXE downloads and so on.

If a user in that policy tried to go to Facebook it would fail (Rule1) however could download an EXE file (Rule3)

So I have one FW rule with seperate Web Policy and Application Controls added.

I would If I could attach images :-) 

Hi David,

I completely missed to see that the FW-rule was disabled. Is the issue resolved? If not, try restarting the Web Proxy services from Administration> Services> Web proxy and also, show me a picture of drop-packet and packet filter logs. Next, go to Advance Shell and capture few log lines for awarrenhttp.log which states that the websites are allowed and filtering is not working.

Last but not the least, check if the Web Protection license is active.