Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 19 replies
  • Answers 2 answers
  • Subscribers 5 subscribers
  • Views 20355 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 policy not blocking selected categories

tony gonzalez

Hello -

Recently I have been experiencing issues with my home policy not blocking the categories I chose (see screenshots). I have tried everything I know, still learning Sophos but I am out of ideas.

am I doing something wrong?

Respectfully,

Fullscreen Live Log.txt Download 
Live Log: Web Filtering 	
Filter: 	
		Autoscroll 	
Reload
2017:02:24-15:07:34 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="aptp_reload" file="aptpscanner.c" line="142" message="reloading ATP pattern"
2017:02:24-15:07:35 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="aptp_reload" file="aptpscanner.c" line="160" message="reloading ATP pattern finished"
2017:02:24-15:10:30 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="586" message="reloading config"
2017:02:24-15:10:30 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="540" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
2017:02:24-15:10:30 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3747" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
2017:02:24-15:10:30 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="642" message="reloading config done, new version 3894"
2017:02:24-15:21:32 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="586" message="reloading config"
2017:02:24-15:21:32 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="540" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
2017:02:24-15:21:32 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3747" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
2017:02:24-15:21:33 gonzo httpproxy[23534]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="642" message="reloading config done, new version 3895"

confused person :)



This thread was automatically locked due to age.
Parents
  • 0

    there are only administrative actions logged within your web filter live-log.

    i thing your web-proxy configuration is not correct.

    - do you use proxy-profiles?

    - do you use transparent or standard mode?

    - which networks are within the "allowed networks" list?

    post some screenshots from your proxy configuration please

     

     

  • 0 in reply to dirkkotte

    Hello,

    Thanks for the reply, once I get home I will provide screenshots.

    I do use a proxy profile - just have one

    I use transparent mode

    Only the internal network is allowed to use the proxy

  • 0 in reply to tony gonzalez

    Hi,

    ok, looks good. Proxy (or full system) is restarted from update-proccess if necessary.

    take a look to packet-filter-livelog  (firewall-livelog). You should not see packets to port 80 or 443 if webrequests are handled by web-proxy.

    also check  webprotection / options / misc / Transparent Mode Skiplist

  • 0 in reply to dirkkotte

    Hi

    I do see 443 traffic on the firewall log. It that bad? It's traffic from my laptop. I'm basically out of ideas, as to why my traffic is not filtered through my proxy. I've never restarted httpproxy to I will have to wing it and try.

  • 0 in reply to tony gonzalez

    Yes ... that's bad. Traffic you see within packetfilter don't pass the proxy!

    here is your problem ...

    within skiplist you configure (nearly) the full traffic to NOT use the proxy.

    using skiplist is a rough way to work with proxy problems (you say do NOT use the proxy)

    within source-hosts you can define internal hosts they should NOT use Proxy.

    within destination hosts you define partners you wish to use without proxy (possible the bank)

    but first you should try to configure exceptions for some functions within proxy to correct proxy access problems.

     

  • 0 in reply to tony gonzalez

    Hi, Tony, and welcome to the UTM Community!

    First, confirm that you have selected either 'URL filtering only' or 'Decrypt and scan' on the 'HTTPS' tab of 'Web Filtering'.  On the 'Policies' tab, open the 'Filter Action' and go to the 'Additional Options' tab.  At the bottom of that, confirm that you have selected both 'Log accessed pages' and 'Log blocked pages'.  To restart the Proxy, disable and then re-enable 'Web filtering status' on the 'Global' tab.

    Now, open the Web Filtering Live Log, wait for it to show a few lines and then test your access and blocking.

    Cheers - Bob

  • 0 in reply to BAlfson

    Awesome thanks Bob I'll try this  later today and report back. Appreciate the assistance, and thanks again.

    Tony

  • 0 in reply to BAlfson

    Hi BAlfson,

     

    Hello - 

    Followed your steps, but unfortunately the issue persist. The categories I have selected to block, are not being blocked by the proxy. However in the policy Helpdesk, it works there - I'm lost for ideas, but thank you for your suggestion.

     

    tony 

  • 0 in reply to tony gonzalez

    Hi Tony,

    do you see the http(s) traffic within packetfilter  any longer?

    Do you read my last post?

    I think your traffic don't pass the web-security regarding the transparent-proxy-skiplist.

    try to remove the source host entries from "transparent mode skiplist".

    Hosts lists here don't use the proxy function but packet-filter.

  • 0 in reply to dirkkotte

    tried it, still doesn't work.

  • 0 in reply to tony gonzalez

    Tony, if this is a free home-use license, I think you should take some backups off the UTM and re-install from ISO.  If it's a paid license, it's time to get Sophos Support involved.

    Cheers - Bob

  • 0 in reply to dirkkotte

    yes removed the internal network from the transparent mode source, and proxy still doesn't block selected categories.

Reply Children
No Data