default web policy "NO GAMES ADS OR EXPLICITI CONTENTS" didn't deny access to porn web sites

Hi Hani,

Can you please verify on the logs, on what policy the traffic is traversing?

are they passing through this policy? (on the screenshot you have provided)

Let us know of the results of your checking.

Regards,

Rap

thank you for your replay please review below screen shoots

thanks in advance 

Hi,

I think I can see the problem. None of the rules have access rule enabled.

Turning on the feature in the application page does not cause it to be applied to any rule. You need to add that selection in your rule along with your IPS settings. The rule needs to be the top one in the selection process for general access.

Ian

dear 

can you give me more details how i can do this instruction becouse iam still new in sophos and i cant understand what do you meant with "Turning on the feature in the application page does not cause it to be applied to any rule. You need to add that selection in your rule along with your IPS settings. The rule needs to be the top one in the selection process for general access"

Hi,

I can see I was wrong in my statement about nothing being enabled, that wasn't obvious when I looked the first time, the screen shot seems to have increased in size.

Further you will need to enable micro checking (not the correct term) in your application page. Your LAN -> WAN needs to be at the top of the list. Rule numbers only tell you in which order the rule was created not about how they are applied.

Also you need a reject rule at the bottom to drop all outgoing traffic that fails other rules.

How are you authenticating your users?

Sorry for what seem to be incomplete answers, I am holidays and don't have access to my XG.

Hi Hani,

Can you please move the LAN-->Internet Rule at the very top of your firewall policies

Let us know how it goes.

Thanks,

Rap

i did it with nothing :(

i did it with nothing :(

and i applied your advice regarding "reject rule at the bottom to drop all outgoing traffic that fails other rules"

Hi,

I have the same blocking rule in place and it works well. When I get home I will test your failing websites with my current configuration.

I will then update this thread with a copy of my rule.

Ian

Hi,

I think you are trying to achieve too much with one rule. You should have  a seperate rule at the top for your VoIP with limited destinations to stop strange connections.

Your rule looks okay from what I can see of it and the micro site check is on by default from mr5 if I remember correctly.

I can now see all you screen shots a lot better, not sure why. Your DNS is the issue not the rule itself. If you look at your logs you will see all the sites are unclassified which is what xlr8 was getting at.

I am not sure why you are using the internal interfaces of the XG as a DNS because the XG doe not have a DNS proxy, trying using the DNS provided by your ISP.

Ian

Unknown said:

hi,

 

can you please check if you are able to connect to the ff:

 

http://www.gorrosdenavidad.es
peak.wing.sophosxl.net

 

under Monitor Analyze > Diagnostics > Tools 

 

you can check if your Firewall and DNS settings were able to resolve those hostnames given above.

 

Let us know of the results.

 

Regards,

Rap

 

Thanks a lot for the info!

Same issue on a new XG firewall i'm setting up for work.  We had to use DNSfilter to temporarily filter these sites.  UTM can't categorize the content and it's a big issue.  Not an issue on our old UTM9 Appliance.

Same issue on a new XG firewall i'm setting up for work.  We had to use DNSfilter to temporarily filter these sites.  UTM can't categorize the content and it's a big issue.  Not an issue on our old UTM9 Appliance.