This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CR25iNG blocking access to site, even though complete open policy

First of, I did not set this application up and I'm not terribly versed with firewalls. However, it has been working fine for months, no one has changed a single thing. However, today, the application is apparently blocking or preventing access to a specific site. It was working fine last week. The site is for our business capital one credit card (https://myaccounts.capitalone.com). 

I see nothing in the logs and it is setup to allow all and block no websites. I know this is a firewall issue because I can connect to our comcast guest wifi, which does not sit behind the firewall, and it works fine. Any suggestions or recommendations would be greatly appreciated. 



This thread was automatically locked due to age.
Parents
  • Hi  

    Could you please confirm that the web site is hosted behind the firewall or hosted WAN side of the firewall?

    Please create a test firewall rule for specific IP addresses and do not apply any scanning or content filtering such as Web, App, and IPS filter policy and verify the web site access.

    Please verify the Pharming protection and check by disabling it.

    Please apply scanning and other restriction one by one and check which restriction is blocking the access, even if it is a "Allow All" web or app filter.

    You may also create FQDN host-based firewall rule and put the rule on top to allow access of the web site for all the users behind the firewall- https://community.sophos.com/kb/en-us/131258

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • The website is hosted on the WAN side. Anyone on the LAN side of the firewall is unable to access it. There is no restrictions or scanning actually enabled. I tried creating a FQDN host-based rule as you suggested, but same result of not being able to access the site. Here are some screen shots:

     

  • Hi  

    The configuration seems to be fine and the FQDN rule is correct as well. You can try packet capture utility or tcpdump from SSH console to check the web site traffic from the specific system.

    Please also verify Anti Virus > HTTP/S > Configuration and please untick Deny Unknown Protocol and Allow Invalid Certificate, You may also try Developer Tools of the browser to get status of the website.

    Please remove the ISP cable from the WAN interface of the Cyberoam device and connect the same cable to a single machine and configure the same IP as configured on the Cyberoam WAN interface and check if the website is accessible or not.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Apparently unticking the box "Allow Invalid Certificate" has done the trick. The other box was already unticked. Not sure how/why this was the problem, but thank you for your help.

Reply Children
  • Hi  

    If you enable HTTPS scanning, you need to import the Appliance SSL Proxy certificate in Internet Explorer, Mozilla Firefox or any other browsers for decryption on SSL Inspection otherwise the browser will always give a warning page when you try to access any secure site. An “Invalid Certificate error” warning appears when the site is using an invalid SSL certificate. The Appliance blocks all such sites. Enable if you want to allow access to such sites.

    We glad that the issue got resolved.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link