Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 8901 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with blocked PDF documents on websites

Niklars
Hi!
I hope this the the correct sub for this question and I'm new here.
I work as local IT-support and we have a Sophos ASG320 with UTM 9.2 as our firewall. The firewall is configured by our owners with a rather strict proxy policy.

We have a problem which I cant identify. One of our users is trying to print package labels from a website, but the firewall somehow blocks the documents from showing up on the website (works fine outside our network on same computer), and I cant find any thing that is blocked in the firewall log or web filter log. Am I looking at the wrong logs can anyone help me with this?

 

// Niklars


This thread was automatically locked due to age.
  • 0
    Hi, Niklars, and welcome to the User BB!

    Any luck with #1 in Rulz?

    Cheers - Bob
  • 0
    Probably the IPS...

    see https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/41225 for some rules known to have false positives, including PDFs.

    Barry
  • 0
    Thanks for both of your answers. 
    I have double checked IPS Log, Application Control and Firewall logs now. None of them are reporting anything when i try to access the documents. Webpage just pop-up blank.
  • 0
    Niklars, in case there might be something in the Web Filtering log, show us the lines where he brings up this page.  Start the Web Filtering Live Log, enter the person's IP in the Filter field and hit Enter - now only his accesses will appear.

    Cheers - Bob
  • 0
    Hi there,

    I had a similar Problem with an application that sends emails to a Printer. I've also not seen any log entry.

    The Problem was the transparent smtp proxy. After I've disabled the transparent smtp scanning, the Problem is gone.

    May be, this Web application also sends prints as Email to a Printer.

    Regards
    mod
  • 0 in reply to mod2402
    Documents are not sent to printer directly. A new page with PDF is supposed to open. Works outside firewall.
    Here is the the part from the Live Log.
    I have tried with both IE 11 and Firefox 31.

    2014:09:03-08:12:17 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="200" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="1541" request="0x259587d8" url="www.dsv-e-services.com/.../print.action
    2014:09:03-08:12:18 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="200" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="27514" request="0x259587d8" url="www.dsv-e-services.com/.../jquery-ui.css
    2014:09:03-08:12:18 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="304" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="0" request="0xcfcf1d8" url="www.dsv-e-services.com/.../default.css
    2014:09:03-08:12:18 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="304" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="0" request="0x331c1248" url="www.dsv-e-services.com/.../PrintJob.js
    2014:09:03-08:12:18 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="304" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="0" request="0xd901400" url="www.dsv-e-services.com/.../prototype.js
    2014:09:03-08:12:18 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="304" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="0" request="0xcfce098" url="www.dsv-e-services.com/.../buttons.js
    2014:09:03-08:12:18 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="304" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="0" request="0x207c57c0" url="www.dsv-e-services.com/.../jquery.min.js
    2014:09:03-08:12:18 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="304" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="0" request="0x3dca14c0" url="www.dsv-e-services.com/.../jquery-ui.min.js
    2014:09:03-08:12:18 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="304" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="0" request="0x20494480" url="www.dsv-e-services.com/.../formtagger.js
    2014:09:03-08:12:18 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="200" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="1902" request="0x86512b0" url="www.dsv-e-services.com/.../toolTip.js
    2014:09:03-08:12:18 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="304" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="0" request="0xd13ad58" url="www.dsv-e-services.com/.../tools.js
    2014:09:03-08:12:18 dnsloc040sekv-1 httpproxy[2349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.40.152" dstip="80.76.152.94" user="AD\sqsenil" statuscode="304" cached="0" profile="REF_HttProTestAdauth (AD-Authentication)" filteraction="REF_ACC_GBL_461feaff436e49e4adb8ffaf531891479147 (310_Web_AL)" size="0" request="0x204948d0" url="www.dsv-e-services.com/.../util.js
  • 0
    When you say "rather strict proxy policy" it makes me think they may have turned on options that are normally off, which could cause problems.

    I think (am not sure) that your filter action was created by ACC / SUM, correct?  That's another possible point of failure.

    Is it possible to do a screenshot of all tabs of the filter action (310_Web_AL) as well as Filter Options / Misc.
  • 0
    All tabs are greyed out in "310_Web_AL"
    I assume our filter action is created by ACC / SUM.

  • 0
    I managed to bypass the problem today by creating an exception under Filtering Options for the specific hosts. For the moment they are skipping URL Filter / Content Removal on the URL dsv-e-services.com
    Maybe not the best solution but it works.

    Thanks for all the help.