Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 3 answers
  • Subscribers 30 subscribers
  • Views 54739 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Policy and Filtering Not Working at All

DavidPeterson

XG V16 - It seems yet another thing real simple in other firewalls just doesn't want to work.  I'm not sure if the KB article I found isn't complete, but if I have the default web filtering policy or Default Workplace Policy applied on the only LAN-to-WAN network rule, nothing gets blocked, nor does anything show up in the log viewer.  Also, while I can see the value of doing it on a rule basis, is there a way to just filtering on a zone like with other firewalls?



This thread was automatically locked due to age.
  • 0 in reply to shred
    None can be used for a few things.  One of the basic ones is to create an HTTP/S rule that bypasses the proxy.
     
    When traffic matches and goes through the proxy with an Allow All policy, it get sent to the proxy for processing.  The proxy validates that the HTTP headers are correct.  It (optionally) enforces Pharming Protection.  It does additional checking for application.  It logs.  It...  does stuff.  And sometimes there is oddball traffic that just does not like going through a proxy.
     
    Example 1)
    I know that we have an old internal KVM switch that hosts a webpage that uses a Java applet to remotely show desktops.  And it just hates proxies (IIRC it uses wacky headers).  If you go through the firewall, through proxy to it with Allow All, it breaks.
     
    So you create a rule that is above your normal rules, destination IP is the KVM, applies to HTTP traffic, Web Policy None.  Now the traffic goes through the XG without ever going through the web proxy.
     
    Example 2)
    What if you purchase a product that you just want to use a Firewall.  You don't want to use it as a Web Proxy - maybe you've got another one you use.  So you want to put HTTP traffic through the XG without it ever touching the XG's Web Proxy.  Use a firewall HTTP rule with None.
     
    Example 3)
    Outlook 365.  I hate that product for the headaches it causes.  The way it works is it first tries to connect to one server using HTTPS.  If it fails to make an SSL connection, it tries the next server, and so on.  Makes sense right?  But when you go through the XG we have "friendly error messages", web pages that we generate the describe the error.  So when Outlook 365 tries to go to the first server, it succeeds on the SSL connection and we send a webpage saying "the server you are trying to connect to does not respond".  Outlook then halts.  It does not see that as a failed connection and does not go to the next server.  This occurs on "Allow All" and does not on "None".
     
    Creating a rule for that destination with None allows the raw connection attempt to be made, and fail, so that Outlook then tries the next server.  (Note we changed things in v17 so that we no longer present certain error pages in transparent mode HTTPS when Decrypt is off in order to fix this rather than doing a None rule)
     
     
     
    Basically Allow All still proxies the traffic, does logging and other stuff.  None is a true "don't touch this traffic, don't log it, just allow it and pretend you don't exist".
     
    If you are familiar with the UTM and the "transparent mode skiplist", a firewall rule with None is basically the same thing.
     
    I'm not 100% sure on what you mean in your side note, but yes.  Every TCP connection made to a different destination IP and port is treated as a separate connection and the firewall rule is chosen independently.  In this context a "Service" is a port.  See Hosts and Services | Services.
     
    Often when I do one of these lengthy explanation posts, I see that several people "like" it.  That tells me that people are reading and appreciating them.  KB articles and such are not always a good way of transmitting this information.
  • 0 in reply to Michael Dunn

    If I’m understanding this correctly, using “Allow All” passes traffic through the web proxy which might be required to allow other features to work that utilize the web proxy such as Pharming Protection or validating HTTP headers. For example,  if I wanted to enable Pharming Protection but I don’t necessarily want to enable “Scan HTTP” (malware scanning), then I just set the web policy to “Allow All” so traffic goes through the web proxy so Pharming Protection can work.

    Personally, I don’t think this is very intuitive in Sophos XG (for me at least). For example, Pharming Protection is enabled in the general settings under the ‘Web’ section. It’s enabled by default but if I didn’t have a firewall that routes traffic through the web proxy, then Pharming Protection isn’t actually doing anything but there’s nothing telling me that. Additionally, it’s not easy to ascertain the difference between “None” and “Allow All” without having had read this thread. The help files don’t mention any of this. Even changing “None” to something like “None (Bypass Web Proxy)” is a little more clear in my mind.

    Anyways, thanks again for explaining everything!

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

Cookie Information Banner