Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 3021 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tranparent Proxy doesn't work properly. Please help me...

1771k3
My ASG using v7.305, I configured transparent proxy for the internal web access.
A month ago my boss said "No one could access facebook". So I add the URL manually in the "Additional URLs/sites to block", I used regex. And it works... When I saw the live log, facebook was blocked completely.

But now ALL the PCs and Notebooks could access the facebook. 
I checked all my configuration, it didn't changed at all. I looked into the HTTP live log, surprisingly... access to the facebook, all passed. I restart the httpproxy using CLI but the result is still the same.
The other problem is the live log not shown the "category" and "categoryname", I don't even know why

I'm totally confused with this issues. Any experience for this?
Need advice please..


This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Krycek
    Please show relevant lines from the Content Filter (HTTP) log.

    Cheers  - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    Please show relevant lines from the Content Filter (HTTP) log.

    Cheers  - Bob


    I copied the live log today and the result are...
    (There's no category and categoryname to ALL sites and they have fully accessed to facebook site)

    2009:05:05-18:52:41 (none) httpproxy[4003]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="191.168.10.6" user="" statuscode="301" cached="0" profile="profile_0" filteraction="action_REF_AvmHXHSRIh" size="0" time="1165 ms" request="0x821dcc8" url="Anmelden | Facebook" error="" content-type="text/html"

    2009:05:05-18:52:46 (none) httpproxy[4003]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="191.168.10.1" user="" statuscode="200" cached="0" profile="profile_0" filteraction="action_REF_AvmHXHSRIh" size="10396" time="5256 ms" request="0x821dcc8" url="Anmelden | Facebook" error="" content-type="text/html"

    2009:05:05-18:52:47 (none) httpproxy[4003]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="191.168.10.118" user="" statuscode="301" cached="0" profile="profile_0" filteraction="action_REF_AvmHXHSRIh" size="0" time="1018 ms" request="0x8257588" url="Windy Agni Marisa - France | Facebook" error="" content-type="text/html"

    2009:05:05-18:56:21 (none) httpproxy[4003]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="191.168.10.128" user="" statuscode="200" cached="0" profile="profile_0" filteraction="action_REF_AvmHXHSRIh" size="209" time="915 ms" request="0x825a5c8" url="http://tools.google.com/service/update2" error="" content-type="text/xml"

    2009:05:05-18:56:36 (none) httpproxy[4003]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="191.168.10.2" user="" statuscode="200" cached="0" profile="profile_0" filteraction="action_REF_AvmHXHSRIh" size="5326" time="306 ms" request="0x8261a38" url="http://sin.stb.s-msn.com/i/C5/863715DA364C93CCF4A2F6539424.jpg" error="" content-type="image/jpeg"



    Here's the regex that I used to block facebook:

    ((ftp|https?)://([-\w.]+)?(\w*:\w*@)?\w*.?)?facebook([-\w.]+)?([[:(]]\d+))?(/([\w/_.]*(\?\S+)?)?)?
    ((ftp|https?)://([-\w.]+)?(\w*:\w*@)?\w*.?)?friendster([-\w.]+)?([[:(]]\d+))?(/([\w/_.]*(\?\S+)?)?)?

    Help me on this...
  • 0 in reply to 1771k3
    OK, well you showed us the lines you noticed, but not the raw data.  If you want us to help you find the error, you can't be showing us the justifications for your confusion... let us make our own mistakes!

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I captured the HTTP live log and the HTTP configuration
    What's your next suggestion?
    logfile.zip
  • 0 in reply to 1771k3
    *Instead of w w w .facebook.com try just facebook.com

    Like me, I think there are a lot of folks who aren't very good with regular expressions, so, apparently sometime after V6, Astaro doesn't insist on them here and will also do a pattern match, so, for example, .ro will block sites in Romania and http:// w w w .rosebowl.com/.

    Still, the fact that a URL with w w w .facebook.com passed indicates a different problem.  I notice that every URL passed with the same filter action, and I'm going to guess that it's the one setup on the HTTP/S tab instead of the 'Strict' Filter Action in the picture you included.  Please show pictures of the Edit for the relevant Filter Assignment and Profile.

    Cheers - Bob
    * Excuse the extra spaces; I used them to prevent the editor from turning them in to URLs as in post #4 above.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Here's the HTTP Profile from the ASG.
    I changed the filter action also but still the same.
    Have any idea?
    httpprofile.zip
  • 0 in reply to 1771k3
    My guess is that you can turn that profile off and that you will see the same thing happen in the Live Log because the filter action is the one in HTTP/S instead of the one you created in Profiles.  That would mean the Astaro isn't seeing traffic from IPs it has in the Profile definition.  Try creating a host with just the IP of your worstation, and put it into the Profile instead of 'Internal (Network)'; if that works, then you know that everything else is correct.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA