Is there a way to log the web categories without changing user behavior?

Shunze,

make sure you link even an Application Filter with Allow All. If some applicaitons are not working, you need to work along with Web Filter, IPS and Firewall logs in order to understand possible ports used, url, etc. and create exceptions.

Do not enable "decrypt and scan". Some applications are very sensible and they "understand" that a man-in-the-middle is acting and then they stop working.

Regards

Shunze,

make sure you link even an Application Filter with Allow All. If some applicaitons are not working, you need to work along with Web Filter, IPS and Firewall logs in order to understand possible ports used, url, etc. and create exceptions.

Do not enable "decrypt and scan". Some applications are very sensible and they "understand" that a man-in-the-middle is acting and then they stop working.

Regards

We didn't enable Application filter, so we set it to "None".

We also didn't enable "decrypt and scan", we knew this need to import the XG certificate to user browser.

(Importing XG certificate is not allow during PoC...)  

Since didn't enable "decrypt and scan", the web exception should not work...

But the "Allow All" web filter interrupt Skype,

Even I created a Skype FQDN bypass rule at top as following url, it didn't work.

https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/83017/how-to-free-skype/319166#pi2151=3

After we change the web filter to "none", the Skype works well.

Any suggestion for use "Allow All" web filter to see the web categories?

Hi 

I would expect the output with the packet info 

console> tcpdump 'port 4444
tcpdump: Starting Packet Dump
20:50:09.664404 PortB, IN: IP 192.168.37.1.64940 > 192.168.37.10.4444: Flags [S], seq 1056313094, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
20:50:09.664551 PortB, OUT: IP 192.168.37.10.4444 > 192.168.37.1.64940: Flags [S.], seq 2246499549, ack 1056313095, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
20:50:09.668417 PortB, IN: IP 192.168.37.1.64940 > 192.168.37.10.4444: Flags [.], ack 1, win 256, length 0
20:50:09.670515 PortB, IN: IP 192.168.37.1.64940 > 192.168.37.10.4444: Flags [P.], ack 1, win 256, length 517
20:50:09.670825 PortB, OUT: IP 192.168.37.10.4444 > 192.168.37.1.64940: Flags [.], ack 518, win 237, length 0
20:50:09.707212 PortB, OUT: IP 192.168.37.10.4444 > 192.168.37.1.64940: Flags [.], ack 518, win 237, length 1460
20:50:09.707391 PortB, OUT: IP 192.168.37.10.4444 > 192.168.37.1.64940: Flags [.], ack 518, win 237, length 1460
20:50:09.707499 PortB, IN: IP 192.168.37.1.64940 > 192.168.37.10.4444: Flags [.], ack 2921, win 256, length 0
20:50:09.707558 PortB, OUT: IP 192.168.37.10.4444 > 192.168.37.1.64940: Flags [P.], ack 518, win 237, length 19
20:50:09.713478 PortB, IN: IP 192.168.37.1.64940 > 192.168.37.10.4444: Flags [P.], ack 2940, win 256, length 126
20:50:09.717212 PortB, OUT: IP 192.168.37.10.4444 > 192.168.37.1.64940: Flags [P.], ack 644, win 237, length 258
20:50:09.719267 PortB, IN: IP 192.168.37.1.64940 > 192.168.37.10.4444: Flags [F.], seq 644, ack 3198, win 255, length 0
20:50:09.720067 PortB, OUT: IP 192.168.37.10.4444 > 192.168.37.1.64940: Flags [F.], seq 3198, ack 645, win 237, length 0
20:50:09.720238 PortB, IN: IP 192.168.37.1.64940 > 192.168.37.10.4444: Flags [.], ack 3199, win 255, length 0

Could you check if you are able to provide the same.