default web policy "NO GAMES ADS OR EXPLICITI CONTENTS" didn't deny access to porn web sites

Hi,

I can see I was wrong in my statement about nothing being enabled, that wasn't obvious when I looked the first time, the screen shot seems to have increased in size.

Further you will need to enable micro checking (not the correct term) in your application page. Your LAN -> WAN needs to be at the top of the list. Rule numbers only tell you in which order the rule was created not about how they are applied.

Also you need a reject rule at the bottom to drop all outgoing traffic that fails other rules.

How are you authenticating your users?

Sorry for what seem to be incomplete answers, I am holidays and don't have access to my XG.

Hi Hani,

Can you please move the LAN-->Internet Rule at the very top of your firewall policies

Let us know how it goes.

Thanks,

Rap

i did it with nothing :(

i did it with nothing :(

and i applied your advice regarding "reject rule at the bottom to drop all outgoing traffic that fails other rules"

Hi,

I have the same blocking rule in place and it works well. When I get home I will test your failing websites with my current configuration.

I will then update this thread with a copy of my rule.

Ian

Hi,

I think you are trying to achieve too much with one rule. You should have  a seperate rule at the top for your VoIP with limited destinations to stop strange connections.

Your rule looks okay from what I can see of it and the micro site check is on by default from mr5 if I remember correctly.

I can now see all you screen shots a lot better, not sure why. Your DNS is the issue not the rule itself. If you look at your logs you will see all the sites are unclassified which is what xlr8 was getting at.

I am not sure why you are using the internal interfaces of the XG as a DNS because the XG doe not have a DNS proxy, trying using the DNS provided by your ISP.

Ian

I had the same issue and this is how I got around it. Click on Constraints next to the rule and select block https and the policy will work.

Sorry for the beautiful print-screen :) doing this on the go since I am not home. Let me know if this works.

Hi,

while you suggestion will add an extra layer to the blocking process, none of that will work until he fixes the DNS issue. The sites are failing the XG checking process because he is not contacting the classification server. All the sites are showing unclassified in his logs.

Ian

Dears 

frist i need to give special thank you for xlr8 and rfcat_vk and another thank you for how trying to help me, actualy my problem solved right now after couble of days of trying find where the issue and based on xlr8 and rfcat_vk replays i focused on the DNS and the issue solved after reconfigure my local domain DNS and speciaiily DNS FORWARDERS, so i configure DNS forworders to redirect any unknown query to 8.8.8.8 and once i configure it the rule working fine without adding any extra configuration on the SHOPHS firewall even i didn't change the rule to be in the top i keep its arrangement as  it is, also didn't make any reset or any extra configuration than i sent in my screenshoots.

really thank you very much for all.

Yours

HaniOmar

Unknown said:

hi,

 

can you please check if you are able to connect to the ff:

 

http://www.gorrosdenavidad.es
peak.wing.sophosxl.net

 

under Monitor Analyze > Diagnostics > Tools 

 

you can check if your Firewall and DNS settings were able to resolve those hostnames given above.

 

Let us know of the results.

 

Regards,

Rap

 

Thanks a lot for the info!