http traffic geht an Web Protection vorbei

Hallo Roland,

(Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

I assume that it's not jut the live log, but that the log file also isn't being populated.  At the bottom of the 'Additional Options' tab of the applicable Filter Action, confirm that both accessed and blocked are being logged.  If the boxes were already checked, uncheck both and [Save].  Then edit the Filter Action again, check both boxes and [Save].

If you still aren't getting logs, go to the 'Exceptions' tab in 'Filtering Options' and search on pages to see if someone inadvertently created an Exception for logging.

If you've recently applied an Up2Date, try restoring the configuration backup made just before.  If that doesn't work, try a reboot.

Did anything in there work for you?

MfG - Bob (Bitte auf Deutsch weiterhin.)

BAlfson said:

Hallo Roland,

(Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

I assume that it's not jut the live log, but that the log file also isn't being populated.  At the bottom of the 'Additional Options' tab of the applicable Filter Action, confirm that both accessed and blocked are being logged.  If the boxes were already checked, uncheck both and [Save].  Then edit the Filter Action again, check both boxes and [Save].

If you still aren't getting logs, go to the 'Exceptions' tab in 'Filtering Options' and search on pages to see if someone inadvertently created an Exception for logging.

If you've recently applied an Up2Date, try restoring the configuration backup made just before.  If that doesn't work, try a reboot.

Did anything in there work for you?

MfG - Bob (Bitte auf Deutsch weiterhin.)

 

rschmid said:

 

BAlfson

Hallo Roland,

(Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

I assume that it's not jut the live log, but that the log file also isn't being populated.  At the bottom of the 'Additional Options' tab of the applicable Filter Action, confirm that both accessed and blocked are being logged.  If the boxes were already checked, uncheck both and [Save].  Then edit the Filter Action again, check both boxes and [Save].

If you still aren't getting logs, go to the 'Exceptions' tab in 'Filtering Options' and search on pages to see if someone inadvertently created an Exception for logging.

If you've recently applied an Up2Date, try restoring the configuration backup made just before.  If that doesn't work, try a reboot.

Did anything in there work for you?

MfG - Bob (Bitte auf Deutsch weiterhin.)

 

 

 

 

Hallo Bob,

 

danke für die Hinweise. Morgen überprüfe ich es.

Ich habe den Verdacht, dass http traffic über interface (e.g. eth0) raus geht und die Antwort über (e.g eth4) zurück kommt.

Wie lautet die syntax von tcpdump in der command line? 

 

Viele Grüße

Roland

 

Hi Bob,

accessed and blocked website is enabled (unchecked it and reselected and saved it to be on the safe side)
Logging was unchecked in my own 'Exceptions' in 'Filtering Options'. Is now enabled. Accessed und Blocked pages.

Yes, I recently applied an Up2Date. Yes I restored more than one older configuration backup with without any result.
Nothing changed regarding Web Protection

Yes, I enabled acccessed and blocked pages in my 'Exceptions'
What is really strange for me that I do not see any http traffic logged in 'Web Filtering Access live log. Only https traffic is logged.

Kind regards,
Roland

loginuser@astaro:/home/login > sudo /etc/init.d/postgresql rebuild

Rebuilding PostgreSQL database, all reporting data will be lost!
Enter "yes" to continue...
yes
:: Stopping PostgreSQL                                               done
:: Initializing the PostgreSQL database                              done
:: Starting PostgreSQL                                               done
no schema upgrades found
:: Restarting SMTP Proxy
:: Stopping SMTP Proxy
[ ok ]
:: Starting SMTP Proxy
[ ok ]
[ ok ]
loginuser@astaro:/home/login >

is above command still valid command for our UTM9 to rebuild its database?

Kind regards,Roland

The command has changed, Roland, but it has ZERO effect on logging.  Are you also having problems with Reporting?

MfG - Bob (Bitte auf Deutsch weiterhin.)

BAlfson said:

The command has changed, Roland, but it has ZERO effect on logging.  Are you also having problems with Reporting?

no I do not have problems with Reporting. My problem is Web Protection/Web Filtering.
In Web Filtering => Global I have my list of networks which are allowed to use my Default Web Filter Profile. Default Web Filter Profile is the only that exists.
For our 2 LAN networks Web Filtering does not work. For example, when I open a website like http://www.website.com this website is blocked. But it is not blocked by Web Filtering Profile.
Even if I delete both LAN networks from the list of allowed networks I cannot open http://www.website.com.
Only for my both wifi networks Web Filtering works as expected.

BAlfson said:

The command has changed, Roland, but it has ZERO effect on logging.  Are you also having problems with Reporting?

no I do not have problems with Reporting. My problem is Web Protection/Web Filtering.
In Web Filtering => Global I have my list of networks which are allowed to use my Default Web Filter Profile. Default Web Filter Profile is the only that exists.
For our 2 LAN networks Web Filtering does not work. For example, when I open a website like http://www.website.com this website is blocked. But it is not blocked by Web Filtering Profile.
Even if I delete both LAN networks from the list of allowed networks I cannot open http://www.website.com.
Only for my both wifi networks Web Filtering works as expected.

Hallo,

verbirgt sich hinter den Interface-Definitionen der Internen Netzwerke sicher auch das Subnetz, aus welchen die Traffic kommt?

... oder existieren dahinter weitere geroutete netze?

Evtl. passt die Definition der erlaubten Netze nicht ganz...

Bitte mal im Firewall-live-Log prüfen, ob dort die geblockte Traffic zu sehen ist.

Hallo,

in den Interface-Definitionen kann ich keinen Fehler erkennen. Nein, es existieren keine dahinter weitere gerouteten Netzwerke.

Im Firewall-Live Log sehe ich (neben vielen anderen Events) den DNS request UPD Port 53,

Der DNS-Server im ADDS löst den FQDN auf. Die geblockte Website sehe ich nicht.

In irgendeinem Log muss doch die geblockte Website auftauchen.

Viele Grüße
Roland

wenn ich im Policy Helpdesk meine geblockete Website eintippe, erhalten ich einen seltsamen Fehler:

mir fällt gerade noch seltames auf:
erlaube ich meine geblockete Website in meiner Kategorie oder in einer Ausnahme und teste die URL mit dem Policy Test Tool stimmt das Ergebnis mit den Einstellungen überein.
Versuche ich nun besagte Website im browser (IE 11) zu öffnen, wird sie geblockt, obwohl sie erlaubt ist.
Verstehe nicht was quer läuft...

es kommt keine Blockpage, habe ich das richtig verstanden?

... oder falls doch, was steht dort drauf?

dirkkotte said:

es kommt keine Blockpage, habe ich das richtig verstanden?

doch es kommt eine Blockpage, obwohl der Policy Tester "allowed" sagt.

Außer vom Standardprofil abweichende Einstellungen in den "Webfilter Profilen" oder den "Exceptions" kann ich mir eigentlich nichts mehr vorstellen.

Ich würde u.U. mal draufschauen...bin aber grad unterwegs.

Hast Du im Policy Tester auch die richtige Quell-IP des Clients eingegeben? Nicht das irgendein anderes Web Protection Profil zuschlägt, und Du an einem anderem Profil die Einstellungen bearbeitest? Ggf. rutscht er auch durch bis zum Default Profil was ja alles sperrt.

Jas Man said:

Hast Du im Policy Tester auch die richtige Quell-IP des Clients eingegeben? Nicht das irgendein anderes Web Protection Profil zuschlägt, und Du an einem anderem Profil die Einstellungen bearbeitest? Ggf. rutscht er auch durch bis zum Default Profil was ja alles sperrt.

 

Es muss die IP Adresse des Clients sein, der geblockt wird/das Problem hat. Ansonsten liefert der Test falsche Ergebnisse.

Wenn der WiFi Client das Problem hat, dann sollte das passen.

Jas Man said:

Es muss die IP Adresse des Clients sein, der geblockt wird/das Problem hat. Ansonsten liefert der Test falsche Ergebnisse.

Wenn der WiFi Client das Problem hat, dann sollte das passen.