users cannot connect to the database through Sophos policy then we have to remove them and recreate them again in the group then they start working.

Hello, Nabi, and welcome to the UTM Community!

What version are you using - 9.353?  Please consult #1 in Rulz and show a line representative of these blocks.  Where is the group that you delete and re-add members - in Active Directory?  Which "Sophos Policy" do you suspect is causeing the problem?

Cheers - Bob

Hello Sir.

Thank you for promote reply.
My Sophos UTM Model is : SG310 and we use it about one Years without any issue with haigh speed and best performance and our all head office 250 Clint PCs are connected via Sophos and we set Sophos as gateway every thing was normal .but unfortunately after restarting Sophos we face to this issue and some user unable to work in tow group for example : we have to Group one group name is oracal Flex Cube Group .. in this group all user have only local access and this group user can transaction ... and also we have Internet Users Group in this group all users can access internet ....before about one years there was no issue but now some user can not work in tow group ..if i add user to Oracal Flex Cube User then my user will not able to access internet ...... and when i add user to Internet Users group then my user will not able to access Oracal Flex Cube ..

Sincerely Yours
-------------------------------------------
Nabi Mohmand
Senior IT Infrastructure Officer
Afghan United Bank
Head Office,Kabul,Afghanistan
Office: +93 (0) 202203834-8
Mobile: +93 (0) 782 148 285

Please have below Detail about My Sophos UTM .
Firmware version:9.352-6
Pattern version: 95001
Sophos Model is :SG310

First, I want to suggest that you Up2Date to 9.353 at your earliest convenience.

Please click on 'Use rich formatting' and insert pictures of the edit of these two groups. Also, pictures of the Web Filtering Policies for these groups open in edit.

Cheers - Bob

Dear Sir,

as you advised me  i update my Sophos to 9.353 and also as you request both group screenshot . please have as below .

I think I see this now. Instead of having both Network Groups together in the Default Webfilter Profile, make a separate Web Filtering Profile and a separate Filter Action for each group. Each user (IP address) only can be in one group, so you may need to make more groups, Profiles and Filter Actions.

If the Firewall rule for the Flex-Cube group is different from the other two rules, please insert a picture of it.

Cheers - Bob

Dear sir,

I only add to group in web protection policy  one is  Internet access Group and the other one is IT Group IT group is allowd  from any to  any and  internet access group is allowed   from any to web browser  .but when i add user to both group issue is the same  ..

and also Flex Cure users  is allow from Flex cube use to web browsers as below and also flex cube user have only local access in local network as below .

".but when i add user to both group issue is the same .."

You cannot have the same IP in two groups in Web Filtering. Please show a line from the log file where a user was blocked that should not have been.

Cheers - Bob

".but when i add user to both group issue is the same .."

You cannot have the same IP in two groups in Web Filtering. Please show a line from the log file where a user was blocked that should not have been.

Cheers - Bob

Dear sir,

I Search in Log & Reports but i can not find the Logs File, so Please can you tell me from where i can find Log files .and if you want team Viewer access i will give the user and Password then you can check it .
Note: after up2Date Sophos to 9.353 and change the group still issue not solved .

Rather than dig through the log for something that happened in the last days, open the Web Filtering Live Log. Activate it at the bottom of the 'Global' tab in 'Web Filtering'. Give it a moment to initialize and then try your access. Please let us know your result.

Cheers - Bob

 Dear Sir

 Thank you Very  Much for supporting  and as you advised , i able to find   web filter logs as below   Internet access logs and Flex Cube Logs ,

Below Logs Releated to User When Access Internet:

2016:02:13-09:22:24 aubsophos01 httpproxy[5710]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access"
action="pass" method="GET" srcip="10.1.3.107" dstip="52.48.231.219" user="" ad_domain="" statuscode="302" cached="0"
profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAllowExe (IT Policy)" size="0"
request="0xddbe4000" url="ssc.api.bbc.com/
d9c1b7b9a45a&c2=18897612&ns_type=view&ns_site=bbc-global-
test&c1=2&b_vs_un=ws&b_imp_src=ws&b_imp_ver=1.0.0.0&name=pashto&b_vs_ls=pashto&b_synd_partner=bbc%7Crd
%7Cgroup0&b_site_section=homepage&b_page_type=IDX%7Cna&c8=%DA%A9%D9%88%D8%B1%D9%BE%D8%A7%DA%BC%D9%87+-+BBC
+Pashto&b_app_type=web&b_app_name=news
%7Cweb&b_article_id=16100193&b_article_date=1268147133&b_article_update=1455301472&b_ad_enabled=1&c7=http%3A%2F%2Fwww.bbc.com
%2Fpashto&b_c7=%2Fpashto&ns" referer="http://www.bbc.com/pashto" error="" authtime="0" dnstime="0" cattime="142" avscantime="0"
fullreqtime="309574" device="0" auth="0" ua="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET
CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)" exceptions="" category="141"
reputation="trusted" categoryname="Portal Sites"

Below Logs Replated to User When Access Flex Cube:

2016:02:13-09:22:57 aubsophos01 httpproxy[5710]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access"
action="pass" method="GET" srcip="10.1.3.107" dstip="172.16.254.5" user="" ad_domain="" statuscode="200" cached="4"
profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAllowExe (IT Policy)" size="20391"
request="0xa8c9800" url="172.16.254.5/.../TaskTbls.xsl"
referer="172.16.254.5/.../SMMDIFRM.jsp error="" authtime="0" dnstime="0" cattime="142" avscantime="8011"
fullreqtime="15387" device="0" auth="0" ua="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET
CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)" exceptions="" category="9998"
reputation="unverified" categoryname="Uncategorized" content-type="text/html"

let me make sure i understood this correctly:

you have 2 user groups; 1 group can access the database but not in the internet, 1 group can access the database AND the internet?

and the problem is that once you want to allow both database AND internet than nothing can be accessed?

Why even use Web Protection for the Database Access? 

Feel free to send me a PM with a skype or messenger contact, can have a look with Teamviewer. We use a simillar setup at my work place but not with two usersgroups in the webfilter.

Thank you Very Much & You can Contact with me as my below Skype & Viber ID, then i will give you TV User name and password then u can check my Sophos UTM Issue ,

Skype: nabimohmand
Viber:+93782148285

Note: My working time  is from 08:00 am up to 03:00 pm

regards

Thank you very much Mr. Ben ,my issue now solved we are highly appreciated.

you are welcome :-) remember, anything that goes over http/https will pass through the webfilter if activated for a group.