Guest User!

You are not Sophos Staff.

Thread Info
  • Replies 0 replies
  • Subscribers 25 subscribers
  • Views 12528 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: How to troubleshoot "Website is Blocked/ Can't access a website" issue

Jaydeep

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article provides some of the basic steps an XG administrator can take while troubleshooting an issue related to a Website being blocked or partially blocked.

Error Codes

It is really important to identify why a Website was blocked (completely or partially). If you receive an http error code, that helps to understand what went wrong. I've listed some of the most common Client and Server error codes. The 4xx error codes mean that client request contained bad syntax or cannot be fulfilled due to the invalid or improper request. The 5xx error code means that the server failed to fulfill an apparently valid request.

4×× Client Error

  • 400 Bad Request
  • 401 Unauthorized
  • 403 Forbidden
  • 404 Not Found
  • 405 Method Not Allowed
  • 406 Not Acceptable
  • 407 Proxy Authentication Required
  • 408 Request Timeout
  • 409 Conflict
  • 414 Request-URI Too Long
  • 415 Unsupported Media Type
  • 416 Requested Range Not Satisfiable
  • 417 Expectation Failed
  • 429 Too Many Requests
  • 431 Request Header Fields Too Large
  • 444 Connection Closed Without Response

5×× Server Error

  • 500 Internal Server Error
  • 501 Not Implemented
  • 502 Bad Gateway
  • 503 Service Unavailable
  • 504 Gateway Timeout
  • 505 HTTP Version Not Supported
  • 511 Network Authentication Required
  • 599 Network Connect Timeout Error

Troubleshooting 

First thing you should identify is if the Web Filtering is applied to the firewall rule which allows/processes the traffic. You should be able to identify the Firewall rule by following this KBA Sophos XG Firewall: How to monitor traffic using packet capture utility in the GUI. Once the firewall rule is identified, please check if a WebFilter policy is applied or not.

a> If a Web Filter policy is not applied, you should try to open the website from SSH of the XG. You can use a curl or wget command.

i.e. wget --no-check-certificate https://www.sophos.com  or curl -v https://www.sophos.com

  • If the connection was successful, it means that there's no issue from the ISP while connecting the website.
    1. You should check the drop-packet-capture using this KBA Sophos XG Firewall: How to monitor dropped packets using CLI and find why it is being dropped.
      In the Advanced Shell of Sophos XG, you could type drppkt host <hostname or ip-address-of-website> and port <web-site-port>for example, drppkt host sophos.com and port 443

    2. Check for any value in drop-packet-capture which might indicate an issue with the traffic.

    3. If none of the above help, please post the error screenshot and details on XG Firewall community forum or if you have a valid support license, create a case with Sophos Support.

  • If the connection was not successful, it might be from ISP or upstream network devices as connection from SSH are unfiltered and attempted from active WAN port of the XG. Try changing the active Internet gateway of the XG if it's feasible and see if the issue still persists.

b> If a Web Filter policy is applied, please check if the Web Policy is configured to allow or block the request. Please refer to this KBA Sophos XG Firewall : How to use the Policy Test tool.

  • If it is shown as allowed in Policy test tool, follow these steps:
    1. Check the drop-packet-capture for the traffic and find why it is being dropped.

    2. Check for any value in drop-packet-capture which might indicate an issue with the traffic.

    3. Do a TCPDUMP and see for any connection error from the webserver.

    4. If none of the above help, please post the error screenshot and details on XG Firewall community forum or if you have a valid support license, create a case with Sophos Support.

  • If it shows as Not Allowed or Blocked, please allow the Website in the Web Filter policy or create an exception for the specific user/IP to allow the access of the Website.

For Feedback and Feature Requests. Kindly Contact your Account Manager or Sales Representative, for documentation requests/suggestions please use the following link: https://community.sophos.com/community-chat/f/user-assistance-feedback



Updated Disclaimer
[edited by: Erick Jan at 1:58 PM (GMT -7) on 17 Apr 2023]
Unfiltered HTML