Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 20347 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 policy not blocking selected categories

tony gonzalez

Hello -

Recently I have been experiencing issues with my home policy not blocking the categories I chose (see screenshots). I have tried everything I know, still learning Sophos but I am out of ideas.

am I doing something wrong?

Respectfully,

Fullscreen Live Log.txt Download 
Live Log: Web Filtering 	
Filter: 	
		Autoscroll 	
Reload
2017:02:24-15:07:34 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="aptp_reload" file="aptpscanner.c" line="142" message="reloading ATP pattern"
2017:02:24-15:07:35 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="aptp_reload" file="aptpscanner.c" line="160" message="reloading ATP pattern finished"
2017:02:24-15:10:30 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="586" message="reloading config"
2017:02:24-15:10:30 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="540" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
2017:02:24-15:10:30 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3747" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
2017:02:24-15:10:30 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="642" message="reloading config done, new version 3894"
2017:02:24-15:21:32 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="586" message="reloading config"
2017:02:24-15:21:32 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="540" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
2017:02:24-15:21:32 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3747" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
2017:02:24-15:21:33 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="642" message="reloading config done, new version 3895"

confused person :)



This thread was automatically locked due to age.
  • 0

    Hi Tony,

    If the websites are hosted over HTTPs then make sure Decrypt and Scan is selected in the Filter policy. Alongside, take SSH to the UTM and restart httpproxy by running, /var/mdw/scripts/httpproxy restart.

    If that doesn't help, show us few log lines from http.log. You can find the log file in /var/log directory.

    Thanks

  • 0

    there are only administrative actions logged within your web filter live-log.

    i thing your web-proxy configuration is not correct.

    - do you use proxy-profiles?

    - do you use transparent or standard mode?

    - which networks are within the "allowed networks" list?

    post some screenshots from your proxy configuration please

     

     

  • 0 in reply to dirkkotte

    Hello,

    Thanks for the reply, once I get home I will provide screenshots.

    I do use a proxy profile - just have one

    I use transparent mode

    Only the internal network is allowed to use the proxy

  • 0 in reply to sachingurung

    Hi Sachin-

    How do I restart httproxy? I've never done this before, do you have instructions or a video I can follow?

  • 0 in reply to tony gonzalez

    Hi Tony,

    Take SSH to the UTM refer the guide here. Login as root and execute the command I suggested in my previous post.

    Thanks

  • 0 in reply to tony gonzalez

    i think you http-traffice use the packetfilter but not the proxy.

    do you have a router within your LAN?

    possible the allowed "Internal network" only mean the subnet behind the internal interface, but not all internal networks.

    Please post a screenshot from your interface definition and the "proxy allowed networks"

  • 0 in reply to dirkkotte

    Hi 

    please see attached screenshots. Not sure what you meant by "Interface Definitions" but I assumed you meant Network definitions. 

     

    Also, I included a network topology to get a better idea, how my network is setup. Everything is on the default VLAN, as I have yet to figure out how to wipe the existing users credentials. A project for another day. Funny thing, the proxy filters the categories I blocked in the "Policy Test" section. It worked before the last couple of updates, and I know this because I haven't changed anything since then. I've never restarted my httpproxy service during the updates, if that helps. Not sure how to do it.

     

    thanks 

    tg House network.pdf

  • 0 in reply to tony gonzalez

    Hi,

    ok, looks good. Proxy (or full system) is restarted from update-proccess if necessary.

    take a look to packet-filter-livelog  (firewall-livelog). You should not see packets to port 80 or 443 if webrequests are handled by web-proxy.

    also check  webprotection / options / misc / Transparent Mode Skiplist

  • 0 in reply to dirkkotte

    Hi

    I do see 443 traffic on the firewall log. It that bad? It's traffic from my laptop. I'm basically out of ideas, as to why my traffic is not filtered through my proxy. I've never restarted httpproxy to I will have to wing it and try.

  • 0 in reply to tony gonzalez

    Yes ... that's bad. Traffic you see within packetfilter don't pass the proxy!

    here is your problem ...

    within skiplist you configure (nearly) the full traffic to NOT use the proxy.

    using skiplist is a rough way to work with proxy problems (you say do NOT use the proxy)

    within source-hosts you can define internal hosts they should NOT use Proxy.

    within destination hosts you define partners you wish to use without proxy (possible the bank)

    but first you should try to configure exceptions for some functions within proxy to correct proxy access problems.