Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 18658 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Android apps unable to update

PaulGH

Over the last few days, none of the android devices on the network have been able to update installed apps. 

Updating over the mobile network is fine, as is updating over our 2nd network managed by UTM 9 :) 

Currently my rules are very simple (listed in order) :-

(4) Allow DNS out from DNS servers

(5) Block DNS from any device

(7) Unrestricted access (no IPS, no Scanning, No web, no apps) - contains specific IP addresses on LAN.

(3) Default (Block p2p) and my web-policy. IPS uses the built in lantowan_general rule

 

my web-policy (items blocked):-

Criminal Activities
Drugs and Controlled Substances
Extreme or Violent Web Content
Nudity and Adult Content
Suspicious

 

No matter what I do, the traffic is rejected. I'm fairly sure it's something to do with a *.gvt1.com/ which is rejected by rule (3) as Advertising.

 

Even adding the android devices to the unrestricted rule, traffic is rejected by the rule beneath it!

I don't have rules that restrict advertising, unless the lantowan_general or one of the categories in my web-policy includes advertising.

Three questions

1. Why is traffic that should be caught by the unrestricted rule dropping through

2. Where is the rule blocking advertising

3. How the heck do I resolve the issue to ensure android devices are able to update :) 

Rules

 

Unrestricted rule :-



This thread was automatically locked due to age.
Parents
  • +2

    Hi,

     

    I have found that the Android Play Store hasn't been updating apps for the last couple of days. And it turns out that I was using the "No Ads or Explicit Content" Policy (Web>>Policies) in my firewall rules for mobile devices. Disabling the Advertisements in this policy fixed this issue.

     

    I don't know if this will help you, but to work around this, I had to do the following:

    1) "Web>>Categories"

      a) I added a new category called GooglePlayStore with the following domains:

          dl-ssl.google.com

          dl-google.com

          play.google.com

          play.googleapis.com

          gvt1.com

      b) gvt1.com was the last straw that fixed the issue... I don't know if the others were necessary.

    2) "Web>>User Activities" I added an activity called GooglePlayStore and assigned the GooglePlayStore category.

    3) "Web>>Policies>>No Ads or Explicit Content" (This is the policy that I am using in my firewall rules).

      a) I added a new Rule (GooglePlayStore) and blocked it for HTTP, but enabled it for HTTPS.

      b) I reordered the categories and put GooglePlayStore before Advertisements, but after the others.

     

    Regards,

    William

     

     

     

     

  • 0 in reply to TorvaFirmus

      b) gvt1.com was the last straw that fixed the issue... I don't know if the others were necessary.

    William, first off, thank you for providing this information to the community. It saved me quite a bit of troubleshooting time. Just to expand on what was provided, the URL category lookup for the sites provided point to gvt1.com as the culprit if you are blocking "Advertisements" in your policy.

    However, I do not want to simply gloss over this and accept that adding an exception is the best course of action. One of two things have occurred around the usage of gvt1.com:

    1. The site truly is serving as an advertisement domain (though research seems to be mixed on that front)
    2. Sophos has incorrectly categorized this domain

    For the first option, not sure there is going to be much recourse as Google likely has an intended use for this domain and if it is in fact functioning as an advertisement gateway, then the category is correct. For the second option, and to confirm if the first option is true or false, is there a way to request that Sophos evaluate the categorization of this domain to either validate that it is correct and provide justification for why it was categorized this way or modify the category to something more appropriate?

    I have tried to find something online, but I am running XG for home, limiting my support options, and have not had to reach out to Sophos Support for years.

    Thank you.

Reply
  • 0 in reply to TorvaFirmus

      b) gvt1.com was the last straw that fixed the issue... I don't know if the others were necessary.

    William, first off, thank you for providing this information to the community. It saved me quite a bit of troubleshooting time. Just to expand on what was provided, the URL category lookup for the sites provided point to gvt1.com as the culprit if you are blocking "Advertisements" in your policy.

    However, I do not want to simply gloss over this and accept that adding an exception is the best course of action. One of two things have occurred around the usage of gvt1.com:

    1. The site truly is serving as an advertisement domain (though research seems to be mixed on that front)
    2. Sophos has incorrectly categorized this domain

    For the first option, not sure there is going to be much recourse as Google likely has an intended use for this domain and if it is in fact functioning as an advertisement gateway, then the category is correct. For the second option, and to confirm if the first option is true or false, is there a way to request that Sophos evaluate the categorization of this domain to either validate that it is correct and provide justification for why it was categorized this way or modify the category to something more appropriate?

    I have tried to find something online, but I am running XG for home, limiting my support options, and have not had to reach out to Sophos Support for years.

    Thank you.

Children
  • 0 in reply to Andrew Janke

    Andrew,

     

    Sorry, but there isn't much I can do to help. I am just a home user also. The full domain and subdomain that was being accessed included some non alpha characters wasn't accepted in the domain entry. So I just used the gvt1.com domain instead and it fixed my problem.

     

    Regards,

    William