Mozilla Firefox Trouble with Google Gmail web based access

I have a three users who have trouble with Google Gmail based website while using Firefox. I use InterceptX. I am having issues pinning this down.

** Sophos Core Agent 2.20.13, Endpoint Advanced 10.8.11.4, Intercept X 2.0.24 (standard release channel)
** Mozilla Firefox 99.0.1 64 bit (standard release channel)
** Windows OS 10 Pro 64 bit patched to current (standard release channel)

Issue:
01. Google Workspace Gmail stops updating / timeout message (#001) appears.
02. user must close Firefox completely then start again. (if user does not start Gmail quickly enough Gmail will not start. Close Firefox completely and restart is the option.)

Testing:
01. I started with a brand new windows user. I logged onto the existing Google Workspace Gmail. I did screenshots periodically to document the timeline.
02. Gmail timeout issue appeared after about 60 minutes. (prior Sophos Community noted "Trouble with google based websites using Firefox" issue so I worked that aspect. Once my Google Workspace Gmail started timing out, I worked other Google property websites.) I opened a new tap and tried Gmail (did not load). I opened a new tap and did YouTube (it worked normally). I opened another new tab and tired Google search (it worked normally).
03. SpeedTest.net opened and ran without issue and Pocket.com worked without issue.
04. Sophos Endpoint Agent - I signed in as Admin.
05. From Sophos Endpoint Agent Admin screen ... I disabled different aspects / pieces and after each I would force Gmail to retry. I did this working through "off" but one cannot turn aspect / piece "on" after "off". Hence, I could not work through items individually. I got to half the aspects turned off and still "No Joy". (I screwed up and no screenshot of half items.)
06. After half aspects / pieces "off" and not able to re-enable, I just cancelled / off to all aspects / pieces except Deep Learning.
07. retry for Gmail and the traffic resumed working / flowing.
08. Sophos Endpoint Agent aspect(s) is/are the issue because when all but Deep Learning aspect / piece toggled "Off" and gmail resumed updates / working. However, I am unsure which aspect / piece is the issue.
09. Sophos Endpoint Agent - I signed out as Admin to re-set / re-enable all the aspects / pieces.
10. Gmail running in the originally open Mozilla Firefox tab continued working normally with aspects / pieces enabled EXCEPT Application Control and Data Loss Prevention (did not re-enable when I signed out as Admin).
11. Gmail timeout issue appeared after about 60 minutes. (prior Sophos Community noted "Trouble with google based websites using Firefox" issue so I worked that aspect. Once my Google Workspace Gmail started timing out, I worked other Google property websites.) I opened a new tap and tried Gmail (did not load). I opened a new tap and did YouTube (it worked normally). I opened another new tab and tired Google search (it worked normally).
12. After Windows Firewall, Ransomwear Detection, Safe Browsing, Network Threat Protection, Application Control, and Data Loss Prevention aspects / pieces "off" Gmail resumed working / flowing.

(I can share the screenshots if that helps but they are just timeline value.)

Working each setting in Sophos Endpoint Agent then resetting and waiting an hour is not possible during my work day.


Does anyone have any suggestions? For working this Gmail hanging is irritating issue.



added / clarified the Windows 10 Pro OS is 64 bit and Mozilla Firefox is 64 bit versions.
[edited by: Sophos User6096 at 7:12 PM (GMT -7) on 29 Apr 2022]
  • Thank you. I seem to have the logging working now. This is the log file for a single click on my Firefox bookmark for google.co.uk (with 0Kb transferred according to Developer Tools):

  • Sorry that print screen didn't get the start of the log - it's longer than my monitor screen - here it is from the start

  • That could be Sophos tamper protection at play.

    Running PowerShell as administrator and running the command:

    gc "C:\Programdata\Sophos\Sophos Network Threat Protection\logs\SophosNetFilter.log" -wait -tail 1

    should work but you could try running the following sequence of commands in that admin PowrerShell prompt to see how far you get along the path, i.e.:

    CD \

    CD Programdata

    CD Sophos

    CD Sophos Network Threat Protection

    CD Logs

    dir

    Can you see the logs?

    In other news, I did get:

    and then....

    The scenario being;

    1. Launch Firefox, type something in the address bar to perform a search.  I switched the default search engine to DuckDuckGo just to see if Google was even significant. This worked all is fine and I can repeat this. All OK.

    2. Tamper Protection is off so I restart the service:

    "Sophos Network Threat Protection"

    This will essentially exit and re-launch the SophosNetFilter.exe process which is used for Web Protection/Control.

    3. If I refresh the page, then I get the above error.

    So I wonder if, for some reason, the SophosNetFilter.exe process is restarting on your computer?

    To test this theory, if you open Windows Task Manager, under the Details tab find the SophosNetFilter.exe process when all is working, make a note of the PID (process id).  Browse away, until you get the issue.  Has the PID of the SophosNetFilter.exe changed?

    ---

    In the SophosNetFilter.log (with Debug logging enabled), I see:

    022-05-01T11:02:44.096Z [36128:65640] D Server Hello SNI lookup: duckduckgo.com - allow: true
    2022-05-01T11:02:44.097Z [36128:94500] E SSL_do_handshake returned SSL error= 1 reason=1042 error:00000001:lib(0):func(0):reason(1) SSL*=00000185B8682460
    2022-05-01T11:02:44.103Z [36128:94500] E Failed to set up SSL MITM encryption: Unrecoverable SSL error during handshake(): error:00000412:lib(0):func(0):reason(1042)
    2022-05-01T11:02:44.104Z [36128:94500] E Unrecoverable SSL error in input() flowId=87351 side=0 size=24 offset=0
    2022-05-01T11:02:44.106Z [36128:94500] D request disconnect flowId=87351 side=0 flags=65536

    ---

    This made me think of the 5 minute comments. In the current product, when you boot the computer, 5 mins after the Sophos AutoUpdate Service starts (alsvc.exe), the first update occurs, then it goes back to the 1/hr check if all is well.

    If however, there is an issue with a component installing and there has never been a successful update, such that the FeatureHash value under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate is not stored, as there is yet to be a successful update.  Then the AutoUpdate product runs the setup plugins of all the components including AutoUpdate, this has the effect of restarting the AutoUpdate service and it enters into a 5 minute update.  

    If this is the case, under C:\windows\temp\ there are installer logs of Sophos being created every 5 minutes?

    I'm just trying to think of a scenario where the SophosNetFilter.exe process is constantly being restarted, and if the NTP component is being re-installed every 5 mins by AutoUpdate that could be one.

    ---

    Interestingly and somewhat expectedly, if I disable in policy:

    Which can be seen at the endpoint:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\[policyrevision]\web_protection

    https_decrypt_enabled = 0

    Then if the process is restarted as above, it all works.

    Hopefully you find that for some reason, the SophosNetFilter.exe process is restarting.  We can then focus on that.

  • HI as you can see from the thread I've been looking at this and think I might have a scenario that leads to the issue.  What I also notice in your post was:

    "02. Gmail timeout issue appeared after about 60 minutes"

    It is interesting that this is the update interval.  As I mentioned in a comment below.

    The computer starts and the Sophos AutoUpdate service (alsvc.exe) process will start.
    C:\ProgramData\Sophos\AutoUpdate\Logs\susvc.log

    Is the log for the service. 5 mins after it starts, it initiates the first update check and then every 60 mins there after.

    As this all happens as System user, the logs for the updates go under: C:\Windows\Temp\

    Do you see a log which has the name:

    Sophos Network Threat Protection Install Log [timestamp].txt

    Every hour? 

    You could check the log file;

    "C:\ProgramData\HitmanPro.Alert\Logs\Sophos.log"

    to see how often the processes show up:

    2022-03-06T14:49:26.605Z [Protected] PID 4368, Features 00FD2E3000000104 Silent 0080000000000000, C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\su-setup32.exe

    2022-03-06T14:49:26.857Z [Protected] PID 32336, Features 00FD2E3000000104 Silent 0080000000000000, C:\Program Files\Sophos\Sophos Network Threat Protection\SophosIPS.exe

    2022-03-06T14:49:29.068Z [Protected] PID 2856, Features 00FD2E3000000104 Silent 0080000000000000, C:\Program Files\Sophos\Sophos Network Threat Protection\SophosNetFilter.exe

    The above pattern shows the SophosIPS ad SophosNetFilter process starting as part of an update.

  • SophosNetFilter.exe in Task Manager seems to have a stable Process ID number across incldences of the bug.

    I tried again on logging in Powershell (I don't think I had Product Logging / Network Thfreat Protection / Debug turned on las time). Results in file below (can I put a text file here? Not sure. Sorry if doesn't work.).

    This is for failed access to google,co.uk, with   SSL_ERROR_BAD_MAC_ALERT appearing in the Firefox browser (but that error code is itself erratic, it appears on only circa 25% of the fails).

    ndows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.
    
    Try the new cross-platform PowerShell https://aka.ms/pscore6
    
    PS C:\WINDOWS\system32> cd c:\
    PS C:\> gc "C:\Programdata\Sophos\Sophos Network Threat Protection\logs\SophosNetFilter.log" -wait -tail 1
    2022-05-01T11:30:00.715Z [ 7084: 7176] D Erasing context for flowId=8075
    2022-05-01T11:30:25.482Z [ 7084: 7184] I [webengine] New connection 0x277e7fefce0
    2022-05-01T11:30:25.482Z [ 7084: 7184] D Created context for flowId=8320
    2022-05-01T11:30:25.482Z [ 7084: 7184] D Looking up IP: 2a00:1450:4009:817::2003
    2022-05-01T11:30:25.483Z [ 7084:11124] I [check-ip] connection:0x277e7fefce0 ip:2a00:1450:4009:817::2003 flowId:8320 decision:continue
    2022-05-01T11:30:25.483Z [ 7084:11124] I [clienthello] connection:0x277e7fefce0 sni:www.google.co.uk flowId:8320 decision:nodecrypt
    2022-05-01T11:30:25.484Z [ 7084: 7184] D Unable to get ClientHello: Data is not a client hello handshake message
    2022-05-01T11:30:25.484Z [ 7084: 7184] D  request disconnect flowId=8320 side=0 flags=65536
    2022-05-01T11:30:25.484Z [ 7084:11124] D Client Hello SNI lookup: www.google.co.uk - allow=true, offload=false, nodecrypt=1
    2022-05-01T11:30:25.484Z [ 7084:11124] D Client Hello - Processing WebControl policy
    2022-05-01T11:30:25.484Z [ 7084:11124] D Lookup URL www.google.co.uk
    2022-05-01T11:30:25.485Z [ 7084:11124] I [request] connection: 0x277e7fefce0 url:www.google.co.uk flowId:8320 decision:allowed riskLevel:2 universalCategory:42
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace apply()
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace !checkSiteList() category=42 risk=unknown domain=www.google.co.uk path= query= remoteIp=2a00:1450:4009:817::2003
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace determinefileClass()
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace   - filetype=text/plain path=
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace   - category=42 risk=unknown domain=www.google.co.uk path= query= method= uri=www.google.co.uk filetype=text/plain fileclass=nil response_content_type= user=unknown ip= blockOnSxlFailure=false epoch=1651404625 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace getPolicy()
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:25.485Z [ 7084:11124] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:25.486Z [ 7084:11124] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:25.486Z [ 7084:11124] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:25.486Z [ 7084:11124] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:25.486Z [ 7084:11124] D WebControl::trace   - result: allow
    2022-05-01T11:30:25.486Z [ 7084:11124] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:25.486Z [ 7084:11124] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:25.486Z [ 7084:11124] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:25.486Z [ 7084:11124] I page allowed: www.google.co.uk
    2022-05-01T11:30:25.537Z [ 7084: 7184] D  request disconnect flowId=8320 side=0 flags=589824
    2022-05-01T11:30:25.538Z [ 7084: 7184] D Got Pending Close flowId=8320 flags=1073741824
    2022-05-01T11:30:25.538Z [ 7084: 7176] D Erasing context for flowId=8320
    2022-05-01T11:30:25.538Z [ 7084: 7176] D Storing web flow journal event for 13295878225-8320. Number of certs stored: 0
    2022-05-01T11:30:25.538Z [ 7084: 7176] I [webengine] Closing connection 0x277e7fefce0 for 'www.google.co.uk': request=772b, response=786b, lifetime=56ms, firstResponse=36ms, businessLogicDelay=0ms, timeInCache=0ms, in=36ms, out=54ms, l.eos=55ms
    2022-05-01T11:30:25.556Z [ 7084: 7184] I [webengine] New connection 0x277e7fce1b0
    2022-05-01T11:30:25.557Z [ 7084: 7184] D Created context for flowId=8321
    2022-05-01T11:30:25.557Z [ 7084: 7184] D Looking up IP: 2a00:1450:4009:817::2003
    2022-05-01T11:30:25.557Z [ 7084:11124] I [check-ip] connection:0x277e7fce1b0 ip:2a00:1450:4009:817::2003 flowId:8321 decision:continue
    2022-05-01T11:30:25.558Z [ 7084:11124] I [clienthello] connection:0x277e7fce1b0 sni:www.google.co.uk flowId:8321 decision:nodecrypt
    2022-05-01T11:30:25.558Z [ 7084:11124] D Client Hello SNI lookup: www.google.co.uk - allow=true, offload=false, nodecrypt=1
    2022-05-01T11:30:25.558Z [ 7084:11124] D Client Hello - Processing WebControl policy
    2022-05-01T11:30:25.558Z [ 7084:11124] D Lookup URL www.google.co.uk
    2022-05-01T11:30:25.559Z [ 7084:11124] I [request] connection: 0x277e7fce1b0 url:www.google.co.uk flowId:8321 decision:allowed riskLevel:2 universalCategory:42
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace apply()
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace !checkSiteList() category=42 risk=unknown domain=www.google.co.uk path= query= remoteIp=2a00:1450:4009:817::2003
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace determinefileClass()
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - filetype=text/plain path=
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - category=42 risk=unknown domain=www.google.co.uk path= query= method= uri=www.google.co.uk filetype=text/plain fileclass=nil response_content_type= user=unknown ip= blockOnSxlFailure=false epoch=1651404625 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace getPolicy()
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - result: allow
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:25.559Z [ 7084:11124] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:25.559Z [ 7084:11124] I page allowed: www.google.co.uk
    2022-05-01T11:30:25.598Z [ 7084: 7184] D  request disconnect flowId=8321 side=0 flags=589824
    2022-05-01T11:30:25.599Z [ 7084: 7184] D Got Pending Close flowId=8321 flags=1073741824
    2022-05-01T11:30:25.599Z [ 7084: 7176] D Erasing context for flowId=8321
    2022-05-01T11:30:25.600Z [ 7084: 7176] D Storing web flow journal event for 13295878225-8321. Number of certs stored: 0
    2022-05-01T11:30:25.600Z [ 7084: 7176] I [webengine] Closing connection 0x277e7fce1b0 for 'www.google.co.uk': request=1625b, response=786b, lifetime=43ms, firstResponse=24ms, businessLogicDelay=0ms, timeInCache=0ms, in=25ms, out=40ms, l.eos=41ms
    2022-05-01T11:30:25.619Z [ 7084: 7184] I [webengine] New connection 0x277e7ff0040
    2022-05-01T11:30:25.619Z [ 7084: 7184] D Created context for flowId=8322
    2022-05-01T11:30:25.619Z [ 7084: 7184] D Looking up IP: 2a00:1450:4009:817::2003
    2022-05-01T11:30:25.620Z [ 7084:11124] I [check-ip] connection:0x277e7ff0040 ip:2a00:1450:4009:817::2003 flowId:8322 decision:continue
    2022-05-01T11:30:25.621Z [ 7084:11124] I [clienthello] connection:0x277e7ff0040 sni:www.google.co.uk flowId:8322 decision:nodecrypt
    2022-05-01T11:30:25.621Z [ 7084:11124] D Client Hello SNI lookup: www.google.co.uk - allow=true, offload=false, nodecrypt=1
    2022-05-01T11:30:25.621Z [ 7084:11124] D Client Hello - Processing WebControl policy
    2022-05-01T11:30:25.621Z [ 7084:11124] D Lookup URL www.google.co.uk
    2022-05-01T11:30:25.622Z [ 7084:11124] I [request] connection: 0x277e7ff0040 url:www.google.co.uk flowId:8322 decision:allowed riskLevel:2 universalCategory:42
    2022-05-01T11:30:25.623Z [ 7084:11124] D WebControl::trace apply()
    2022-05-01T11:30:25.623Z [ 7084:11124] D WebControl::trace !checkSiteList() category=42 risk=unknown domain=www.google.co.uk path= query= remoteIp=2a00:1450:4009:817::2003
    2022-05-01T11:30:25.623Z [ 7084:11124] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:25.623Z [ 7084:11124] D WebControl::trace determinefileClass()
    2022-05-01T11:30:25.623Z [ 7084:11124] D WebControl::trace   - filetype=text/plain path=
    2022-05-01T11:30:25.623Z [ 7084:11124] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:25.623Z [ 7084:11124] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:25.623Z [ 7084:11124] D WebControl::trace   - category=42 risk=unknown domain=www.google.co.uk path= query= method= uri=www.google.co.uk filetype=text/plain fileclass=nil response_content_type= user=unknown ip= blockOnSxlFailure=false epoch=1651404625 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:25.623Z [ 7084:11124] D WebControl::trace getPolicy()
    2022-05-01T11:30:25.624Z [ 7084:11124] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:25.624Z [ 7084:11124] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:25.624Z [ 7084:11124] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:25.624Z [ 7084:11124] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:25.624Z [ 7084:11124] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:25.624Z [ 7084:11124] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:25.624Z [ 7084:11124] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:25.624Z [ 7084:11124] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:25.624Z [ 7084:11124] D WebControl::trace   - result: allow
    2022-05-01T11:30:25.624Z [ 7084:11124] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:25.625Z [ 7084:11124] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:25.625Z [ 7084:11124] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:25.625Z [ 7084:11124] I page allowed: www.google.co.uk
    2022-05-01T11:30:25.661Z [ 7084: 7184] D Got Pending Close flowId=8322 flags=1073741824
    2022-05-01T11:30:25.661Z [ 7084: 7176] D Erasing context for flowId=8322
    2022-05-01T11:30:25.661Z [ 7084: 7176] D Storing web flow journal event for 13295878225-8322. Number of certs stored: 0
    2022-05-01T11:30:25.662Z [ 7084: 7176] I [webengine] Closing connection 0x277e7ff0040 for 'www.google.co.uk': request=1601b, response=786b, lifetime=42ms, firstResponse=25ms, businessLogicDelay=0ms, timeInCache=0ms, in=25ms, out=41ms
    2022-05-01T11:30:25.680Z [ 7084: 7184] I [webengine] New connection 0x277e7fce630
    2022-05-01T11:30:25.680Z [ 7084: 7184] D Created context for flowId=8323
    2022-05-01T11:30:25.681Z [ 7084: 7184] D Looking up IP: 2a00:1450:4009:817::2003
    2022-05-01T11:30:25.681Z [ 7084:11124] I [check-ip] connection:0x277e7fce630 ip:2a00:1450:4009:817::2003 flowId:8323 decision:continue
    2022-05-01T11:30:25.682Z [ 7084:11124] I [clienthello] connection:0x277e7fce630 sni:www.google.co.uk flowId:8323 decision:nodecrypt
    2022-05-01T11:30:25.682Z [ 7084:11124] D Client Hello SNI lookup: www.google.co.uk - allow=true, offload=false, nodecrypt=1
    2022-05-01T11:30:25.682Z [ 7084:11124] D Client Hello - Processing WebControl policy
    2022-05-01T11:30:25.682Z [ 7084:11124] D Lookup URL www.google.co.uk
    2022-05-01T11:30:25.683Z [ 7084:11124] I [request] connection: 0x277e7fce630 url:www.google.co.uk flowId:8323 decision:allowed riskLevel:2 universalCategory:42
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace apply()
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace !checkSiteList() category=42 risk=unknown domain=www.google.co.uk path= query= remoteIp=2a00:1450:4009:817::2003
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace determinefileClass()
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - filetype=text/plain path=
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - category=42 risk=unknown domain=www.google.co.uk path= query= method= uri=www.google.co.uk filetype=text/plain fileclass=nil response_content_type= user=unknown ip= blockOnSxlFailure=false epoch=1651404625 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace getPolicy()
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - result: allow
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:25.683Z [ 7084:11124] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:25.683Z [ 7084:11124] I page allowed: www.google.co.uk
    2022-05-01T11:30:25.722Z [ 7084: 7184] D Got Pending Close flowId=8323 flags=1073741824
    2022-05-01T11:30:25.722Z [ 7084: 7176] D Erasing context for flowId=8323
    2022-05-01T11:30:25.722Z [ 7084: 7176] D Storing web flow journal event for 13295878225-8323. Number of certs stored: 0
    2022-05-01T11:30:25.723Z [ 7084: 7176] I [webengine] Closing connection 0x277e7fce630 for 'www.google.co.uk': request=1601b, response=786b, lifetime=42ms, firstResponse=25ms, businessLogicDelay=0ms, timeInCache=0ms, in=25ms, out=41ms
    2022-05-01T11:30:25.743Z [ 7084: 7184] I [webengine] New connection 0x277e7ff0040
    2022-05-01T11:30:25.743Z [ 7084: 7184] D Created context for flowId=8324
    2022-05-01T11:30:25.743Z [ 7084: 7184] D Looking up IP: 2a00:1450:4009:817::2003
    2022-05-01T11:30:25.744Z [ 7084:11124] I [check-ip] connection:0x277e7ff0040 ip:2a00:1450:4009:817::2003 flowId:8324 decision:continue
    2022-05-01T11:30:25.749Z [ 7084:11124] I [clienthello] connection:0x277e7ff0040 sni:www.google.co.uk flowId:8324 decision:nodecrypt
    2022-05-01T11:30:25.749Z [ 7084:11124] D Client Hello SNI lookup: www.google.co.uk - allow=true, offload=false, nodecrypt=1
    2022-05-01T11:30:25.749Z [ 7084:11124] D Client Hello - Processing WebControl policy
    2022-05-01T11:30:25.749Z [ 7084:11124] D Lookup URL www.google.co.uk
    2022-05-01T11:30:25.750Z [ 7084:11124] I [request] connection: 0x277e7ff0040 url:www.google.co.uk flowId:8324 decision:allowed riskLevel:2 universalCategory:42
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace apply()
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace !checkSiteList() category=42 risk=unknown domain=www.google.co.uk path= query= remoteIp=2a00:1450:4009:817::2003
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace determinefileClass()
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - filetype=text/plain path=
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - category=42 risk=unknown domain=www.google.co.uk path= query= method= uri=www.google.co.uk filetype=text/plain fileclass=nil response_content_type= user=unknown ip= blockOnSxlFailure=false epoch=1651404625 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace getPolicy()
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - result: allow
    2022-05-01T11:30:25.750Z [ 7084:11124] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:25.751Z [ 7084:11124] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:25.751Z [ 7084:11124] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:25.751Z [ 7084:11124] I page allowed: www.google.co.uk
    2022-05-01T11:30:25.790Z [ 7084: 7184] D  request disconnect flowId=8324 side=0 flags=589824
    2022-05-01T11:30:25.795Z [ 7084: 7184] D Got Pending Close flowId=8324 flags=1073741824
    2022-05-01T11:30:25.795Z [ 7084: 7176] D Erasing context for flowId=8324
    2022-05-01T11:30:25.795Z [ 7084: 7176] D Storing web flow journal event for 13295878225-8324. Number of certs stored: 0
    2022-05-01T11:30:25.795Z [ 7084: 7176] I [webengine] Closing connection 0x277e7ff0040 for 'www.google.co.uk': request=1625b, response=786b, lifetime=52ms, firstResponse=30ms, businessLogicDelay=0ms, timeInCache=0ms, in=30ms, out=46ms, l.eos=46ms
    2022-05-01T11:30:25.808Z [ 7084: 7184] I [webengine] New connection 0x277e7fa9870
    2022-05-01T11:30:25.808Z [ 7084: 7184] D Created context for flowId=8325
    2022-05-01T11:30:25.808Z [ 7084: 7184] D Looking up IP: 2a00:1450:4009:817::2003
    2022-05-01T11:30:25.809Z [ 7084:11124] I [check-ip] connection:0x277e7fa9870 ip:2a00:1450:4009:817::2003 flowId:8325 decision:continue
    2022-05-01T11:30:25.810Z [ 7084:11124] I [clienthello] connection:0x277e7fa9870 sni:www.google.co.uk flowId:8325 decision:nodecrypt
    2022-05-01T11:30:25.810Z [ 7084:11124] D Client Hello SNI lookup: www.google.co.uk - allow=true, offload=false, nodecrypt=1
    2022-05-01T11:30:25.810Z [ 7084:11124] D Client Hello - Processing WebControl policy
    2022-05-01T11:30:25.810Z [ 7084:11124] D Lookup URL www.google.co.uk
    2022-05-01T11:30:25.810Z [ 7084:11124] I [request] connection: 0x277e7fa9870 url:www.google.co.uk flowId:8325 decision:allowed riskLevel:2 universalCategory:42
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace apply()
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace !checkSiteList() category=42 risk=unknown domain=www.google.co.uk path= query= remoteIp=2a00:1450:4009:817::2003
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace determinefileClass()
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - filetype=text/plain path=
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - category=42 risk=unknown domain=www.google.co.uk path= query= method= uri=www.google.co.uk filetype=text/plain fileclass=nil response_content_type= user=unknown ip= blockOnSxlFailure=false epoch=1651404625 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace getPolicy()
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - result: allow
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:25.811Z [ 7084:11124] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:25.811Z [ 7084:11124] I page allowed: www.google.co.uk
    2022-05-01T11:30:25.852Z [ 7084: 7184] D  request disconnect flowId=8325 side=0 flags=589824
    2022-05-01T11:30:25.853Z [ 7084: 7184] D Got Pending Close flowId=8325 flags=1073741824
    2022-05-01T11:30:25.853Z [ 7084: 7176] D Erasing context for flowId=8325
    2022-05-01T11:30:25.854Z [ 7084: 7176] D Storing web flow journal event for 13295878225-8325. Number of certs stored: 0
    2022-05-01T11:30:25.854Z [ 7084: 7176] I [webengine] Closing connection 0x277e7fa9870 for 'www.google.co.uk': request=1625b, response=786b, lifetime=45ms, firstResponse=27ms, businessLogicDelay=0ms, timeInCache=0ms, in=27ms, out=43ms, l.eos=43ms
    2022-05-01T11:30:25.870Z [ 7084: 7184] I [webengine] New connection 0x277e7fa9630
    2022-05-01T11:30:25.870Z [ 7084: 7184] D Created context for flowId=8326
    2022-05-01T11:30:25.870Z [ 7084: 7184] D Looking up IP: 2a00:1450:4009:817::2003
    2022-05-01T11:30:25.871Z [ 7084:11124] I [check-ip] connection:0x277e7fa9630 ip:2a00:1450:4009:817::2003 flowId:8326 decision:continue
    2022-05-01T11:30:25.872Z [ 7084:11124] I [clienthello] connection:0x277e7fa9630 sni:www.google.co.uk flowId:8326 decision:nodecrypt
    2022-05-01T11:30:25.872Z [ 7084:11124] D Client Hello SNI lookup: www.google.co.uk - allow=true, offload=false, nodecrypt=1
    2022-05-01T11:30:25.872Z [ 7084:11124] D Client Hello - Processing WebControl policy
    2022-05-01T11:30:25.872Z [ 7084:11124] D Lookup URL www.google.co.uk
    2022-05-01T11:30:25.873Z [ 7084:11124] I [request] connection: 0x277e7fa9630 url:www.google.co.uk flowId:8326 decision:allowed riskLevel:2 universalCategory:42
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace apply()
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace !checkSiteList() category=42 risk=unknown domain=www.google.co.uk path= query= remoteIp=2a00:1450:4009:817::2003
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace determinefileClass()
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - filetype=text/plain path=
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - category=42 risk=unknown domain=www.google.co.uk path= query= method= uri=www.google.co.uk filetype=text/plain fileclass=nil response_content_type= user=unknown ip= blockOnSxlFailure=false epoch=1651404625 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace getPolicy()
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - result: allow
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:25.873Z [ 7084:11124] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:25.873Z [ 7084:11124] I page allowed: www.google.co.uk
    2022-05-01T11:30:25.913Z [ 7084: 7184] D Got Pending Close flowId=8326 flags=1073741824
    2022-05-01T11:30:25.913Z [ 7084: 7176] D Erasing context for flowId=8326
    2022-05-01T11:30:25.913Z [ 7084: 7176] D Storing web flow journal event for 13295878225-8326. Number of certs stored: 0
    2022-05-01T11:30:25.913Z [ 7084: 7176] I [webengine] Closing connection 0x277e7fa9630 for 'www.google.co.uk': request=1601b, response=786b, lifetime=42ms, firstResponse=25ms, businessLogicDelay=0ms, timeInCache=0ms, in=25ms, out=42ms
    2022-05-01T11:30:25.932Z [ 7084: 7184] I [webengine] New connection 0x277e7fa9630
    2022-05-01T11:30:25.932Z [ 7084: 7184] D Created context for flowId=8327
    2022-05-01T11:30:25.932Z [ 7084: 7184] D Looking up IP: 2a00:1450:4009:817::2003
    2022-05-01T11:30:25.933Z [ 7084:11124] I [check-ip] connection:0x277e7fa9630 ip:2a00:1450:4009:817::2003 flowId:8327 decision:continue
    2022-05-01T11:30:25.934Z [ 7084:11124] I [clienthello] connection:0x277e7fa9630 sni:www.google.co.uk flowId:8327 decision:nodecrypt
    2022-05-01T11:30:25.934Z [ 7084:11124] D Client Hello SNI lookup: www.google.co.uk - allow=true, offload=false, nodecrypt=1
    2022-05-01T11:30:25.934Z [ 7084:11124] D Client Hello - Processing WebControl policy
    2022-05-01T11:30:25.934Z [ 7084:11124] D Lookup URL www.google.co.uk
    2022-05-01T11:30:25.934Z [ 7084:11124] I [request] connection: 0x277e7fa9630 url:www.google.co.uk flowId:8327 decision:allowed riskLevel:2 universalCategory:42
    2022-05-01T11:30:25.934Z [ 7084:11124] D WebControl::trace apply()
    2022-05-01T11:30:25.934Z [ 7084:11124] D WebControl::trace !checkSiteList() category=42 risk=unknown domain=www.google.co.uk path= query= remoteIp=2a00:1450:4009:817::2003
    2022-05-01T11:30:25.934Z [ 7084:11124] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:25.934Z [ 7084:11124] D WebControl::trace determinefileClass()
    2022-05-01T11:30:25.934Z [ 7084:11124] D WebControl::trace   - filetype=text/plain path=
    2022-05-01T11:30:25.934Z [ 7084:11124] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:25.934Z [ 7084:11124] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:25.934Z [ 7084:11124] D WebControl::trace   - category=42 risk=unknown domain=www.google.co.uk path= query= method= uri=www.google.co.uk filetype=text/plain fileclass=nil response_content_type= user=unknown ip= blockOnSxlFailure=false epoch=1651404625 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:25.934Z [ 7084:11124] D WebControl::trace getPolicy()
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::trace   - result: allow
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:25.935Z [ 7084:11124] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:25.935Z [ 7084:11124] I page allowed: www.google.co.uk
    2022-05-01T11:30:25.974Z [ 7084: 7184] D Got Pending Close flowId=8327 flags=1073741824
    2022-05-01T11:30:25.974Z [ 7084: 7176] D Erasing context for flowId=8327
    2022-05-01T11:30:25.975Z [ 7084: 7176] D Storing web flow journal event for 13295878225-8327. Number of certs stored: 0
    2022-05-01T11:30:25.975Z [ 7084: 7176] I [webengine] Closing connection 0x277e7fa9630 for 'www.google.co.uk': request=1601b, response=786b, lifetime=42ms, firstResponse=25ms, businessLogicDelay=0ms, timeInCache=0ms, in=25ms, out=41ms
    2022-05-01T11:30:25.994Z [ 7084: 7184] I [webengine] New connection 0x277e7fa9930
    2022-05-01T11:30:25.994Z [ 7084: 7184] D Created context for flowId=8328
    2022-05-01T11:30:25.994Z [ 7084: 7184] D Looking up IP: 2a00:1450:4009:817::2003
    2022-05-01T11:30:25.995Z [ 7084:11124] I [check-ip] connection:0x277e7fa9930 ip:2a00:1450:4009:817::2003 flowId:8328 decision:continue
    2022-05-01T11:30:25.996Z [ 7084:11124] I [clienthello] connection:0x277e7fa9930 sni:www.google.co.uk flowId:8328 decision:nodecrypt
    2022-05-01T11:30:25.996Z [ 7084:11124] D Client Hello SNI lookup: www.google.co.uk - allow=true, offload=false, nodecrypt=1
    2022-05-01T11:30:25.996Z [ 7084:11124] D Client Hello - Processing WebControl policy
    2022-05-01T11:30:25.996Z [ 7084:11124] D Lookup URL www.google.co.uk
    2022-05-01T11:30:25.997Z [ 7084:11124] I [request] connection: 0x277e7fa9930 url:www.google.co.uk flowId:8328 decision:allowed riskLevel:2 universalCategory:42
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace apply()
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace !checkSiteList() category=42 risk=unknown domain=www.google.co.uk path= query= remoteIp=2a00:1450:4009:817::2003
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace determinefileClass()
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace   - filetype=text/plain path=
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace   - category=42 risk=unknown domain=www.google.co.uk path= query= method= uri=www.google.co.uk filetype=text/plain fileclass=nil response_content_type= user=unknown ip= blockOnSxlFailure=false epoch=1651404625 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace getPolicy()
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:25.997Z [ 7084:11124] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:25.998Z [ 7084:11124] D WebControl::trace   - result: allow
    2022-05-01T11:30:25.998Z [ 7084:11124] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:25.998Z [ 7084:11124] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:25.998Z [ 7084:11124] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:25.998Z [ 7084:11124] I page allowed: www.google.co.uk
    2022-05-01T11:30:26.038Z [ 7084: 7184] D Got Pending Close flowId=8328 flags=1073741824
    2022-05-01T11:30:26.038Z [ 7084: 7176] D Erasing context for flowId=8328
    2022-05-01T11:30:26.038Z [ 7084: 7176] D Storing web flow journal event for 13295878225-8328. Number of certs stored: 0
    2022-05-01T11:30:26.038Z [ 7084: 7176] I [webengine] Closing connection 0x277e7fa9930 for 'www.google.co.uk': request=1601b, response=786b, lifetime=43ms, firstResponse=26ms, businessLogicDelay=0ms, timeInCache=0ms, in=26ms, out=43ms
    2022-05-01T11:30:26.057Z [ 7084: 7184] I [webengine] New connection 0x277e7fa9390
    2022-05-01T11:30:26.057Z [ 7084: 7184] D Created context for flowId=8329
    2022-05-01T11:30:26.057Z [ 7084: 7184] D Looking up IP: 2a00:1450:4009:817::2003
    2022-05-01T11:30:26.058Z [ 7084:11124] I [check-ip] connection:0x277e7fa9390 ip:2a00:1450:4009:817::2003 flowId:8329 decision:continue
    2022-05-01T11:30:26.059Z [ 7084:11124] I [clienthello] connection:0x277e7fa9390 sni:www.google.co.uk flowId:8329 decision:nodecrypt
    2022-05-01T11:30:26.059Z [ 7084:11124] D Client Hello SNI lookup: www.google.co.uk - allow=true, offload=false, nodecrypt=1
    2022-05-01T11:30:26.059Z [ 7084:11124] D Client Hello - Processing WebControl policy
    2022-05-01T11:30:26.059Z [ 7084:11124] D Lookup URL www.google.co.uk
    2022-05-01T11:30:26.059Z [ 7084:11124] I [request] connection: 0x277e7fa9390 url:www.google.co.uk flowId:8329 decision:allowed riskLevel:2 universalCategory:42
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace apply()
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace !checkSiteList() category=42 risk=unknown domain=www.google.co.uk path= query= remoteIp=2a00:1450:4009:817::2003
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace determinefileClass()
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - filetype=text/plain path=
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - category=42 risk=unknown domain=www.google.co.uk path= query= method= uri=www.google.co.uk filetype=text/plain fileclass=nil response_content_type= user=unknown ip= blockOnSxlFailure=false epoch=1651404626 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace getPolicy()
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - result: allow
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:26.060Z [ 7084:11124] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:26.060Z [ 7084:11124] I page allowed: www.google.co.uk
    2022-05-01T11:30:26.099Z [ 7084: 7184] D Got Pending Close flowId=8329 flags=1073741824
    2022-05-01T11:30:26.099Z [ 7084: 7176] D Erasing context for flowId=8329
    2022-05-01T11:30:26.099Z [ 7084: 7176] D Storing web flow journal event for 13295878226-8329. Number of certs stored: 0
    2022-05-01T11:30:26.100Z [ 7084: 7176] I [webengine] Closing connection 0x277e7fa9390 for 'www.google.co.uk': request=1601b, response=786b, lifetime=42ms, firstResponse=25ms, businessLogicDelay=0ms, timeInCache=0ms, in=25ms, out=41ms
    2022-05-01T11:30:26.170Z [ 7084: 7184] I [webengine] New connection 0x277e7fa98d0
    2022-05-01T11:30:26.170Z [ 7084: 7184] D Created context for flowId=8338
    2022-05-01T11:30:26.170Z [ 7084: 7184] D Looking up IP: 2600:1901:0:38d7::
    2022-05-01T11:30:26.171Z [ 7084: 7184] D Lookup URL http://detectportal.firefox.com/canonical.html
    2022-05-01T11:30:26.190Z [ 7084: 7184] D  XXX Scan Content 90 bytes for http://detectportal.firefox.com/canonical.html
    2022-05-01T11:30:26.191Z [ 7084: 7184] D Scanning 90 bytes of uri 'http://detectportal.firefox.com/canonical.html'
    2022-05-01T11:30:26.313Z [ 7084:11124] I [request] connection: 0x277e7fa98d0 url:http://detectportal.firefox.com/canonical.html flowId:8338 decision:allowed riskLevel:2 universalCategory:8
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace apply()
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace !checkSiteList() category=8 risk=unknown domain=detectportal.firefox.com path=canonical.html query= remoteIp=2600:1901:0:38d7::
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace determinefileClass()
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace   - filetype=text/plain path=canonical.html
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace   - found file extension .html
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace   - category=8 risk=unknown domain=detectportal.firefox.com path=canonical.html query= method=GET uri=http://detectportal.firefox.com/canonical.html filetype=text/plain fileclass=nil response_content_type=text/html user=unknown ip= blockOnSxlFailure=false epoch=1651404626 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace getPolicy()
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:26.313Z [ 7084:11124] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:26.314Z [ 7084:11124] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:26.314Z [ 7084:11124] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:26.314Z [ 7084:11124] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:26.314Z [ 7084:11124] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:26.314Z [ 7084:11124] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:26.314Z [ 7084:11124] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:26.314Z [ 7084:11124] D WebControl::trace   - result: allow
    2022-05-01T11:30:26.314Z [ 7084:11124] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:26.314Z [ 7084:11124] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:26.314Z [ 7084:11124] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:26.314Z [ 7084:11124] I page allowed: http://detectportal.firefox.com/canonical.html
    2022-05-01T11:30:26.314Z [ 7084:11124] I [check-ip] connection:0x277e7fa98d0 ip:2600:1901:0:38d7:: flowId:8338 decision:continue
    2022-05-01T11:30:26.356Z [ 7084:11124] I [scan] connection:0x277e7fa98d0 url:http://detectportal.firefox.com/canonical.html flowId:8338 decision:allowed
    2022-05-01T11:30:26.356Z [ 7084:11124] D Allowing access to clean content, uri 'http://detectportal.firefox.com/canonical.html'
    2022-05-01T11:30:26.377Z [ 7084: 7184] I [webengine] New connection 0x277e7fa9330
    2022-05-01T11:30:26.377Z [ 7084: 7184] D Created context for flowId=8345
    2022-05-01T11:30:26.378Z [ 7084: 7184] D Looking up IP: 34.107.221.82
    2022-05-01T11:30:26.378Z [ 7084: 7184] D Lookup URL http://detectportal.firefox.com/success.txt?ipv4
    2022-05-01T11:30:26.379Z [ 7084:11124] I [request] connection: 0x277e7fa9330 url:http://detectportal.firefox.com/success.txt?ipv4 flowId:8345 decision:allowed riskLevel:2 universalCategory:8
    2022-05-01T11:30:26.380Z [ 7084: 7184] I [webengine] New connection 0x277e7fa9810
    2022-05-01T11:30:26.380Z [ 7084: 7184] D Created context for flowId=8346
    2022-05-01T11:30:26.380Z [ 7084: 7184] D Looking up IP: 2600:1901:0:38d7::
    2022-05-01T11:30:26.380Z [ 7084: 7184] D Lookup URL http://detectportal.firefox.com/success.txt?ipv6
    2022-05-01T11:30:26.380Z [ 7084:11124] I [check-ip] connection:0x277e7fa9810 ip:2600:1901:0:38d7:: flowId:8346 decision:continue
    2022-05-01T11:30:26.381Z [ 7084:11124] I [request] connection: 0x277e7fa9810 url:http://detectportal.firefox.com/success.txt?ipv6 flowId:8346 decision:allowed riskLevel:2 universalCategory:8
    2022-05-01T11:30:26.396Z [ 7084: 7184] D  XXX Scan Content 8 bytes for http://detectportal.firefox.com/success.txt?ipv4
    2022-05-01T11:30:26.396Z [ 7084: 7184] D Scanning 8 bytes of uri 'http://detectportal.firefox.com/success.txt?ipv4'
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace apply()
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace !checkSiteList() category=8 risk=unknown domain=detectportal.firefox.com path=success.txt query=ipv4 remoteIp=34.107.221.82
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace determinefileClass()
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace   - filetype=text/plain path=success.txt
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace   - found file extension .txt
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace   - category=8 risk=unknown domain=detectportal.firefox.com path=success.txt query=ipv4 method=GET uri=http://detectportal.firefox.com/success.txt?ipv4 filetype=text/plain fileclass=nil response_content_type=text/plain user=unknown ip= blockOnSxlFailure=false epoch=1651404626 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace getPolicy()
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:26.396Z [ 7084: 7184] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:26.397Z [ 7084: 7184] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:26.397Z [ 7084: 7184] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:26.397Z [ 7084: 7184] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:26.397Z [ 7084: 7184] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:26.397Z [ 7084: 7184] D WebControl::trace   - result: allow
    2022-05-01T11:30:26.397Z [ 7084: 7184] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:26.397Z [ 7084: 7184] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:26.397Z [ 7084: 7184] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:26.397Z [ 7084: 7184] I page allowed: http://detectportal.firefox.com/success.txt?ipv4
    2022-05-01T11:30:26.397Z [ 7084: 7184] D  XXX Scan Content 8 bytes for http://detectportal.firefox.com/success.txt?ipv6
    2022-05-01T11:30:26.397Z [ 7084: 7184] D Scanning 8 bytes of uri 'http://detectportal.firefox.com/success.txt?ipv6'
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace apply()
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace !checkSiteList() category=8 risk=unknown domain=detectportal.firefox.com path=success.txt query=ipv6 remoteIp=2600:1901:0:38d7::
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - NOT found in local site list
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace determinefileClass()
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - filetype=text/plain path=success.txt
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - found file extension .txt
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - using filetype text/plain
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - using fileclass <nil>
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - category=8 risk=unknown domain=detectportal.firefox.com path=success.txt query=ipv6 method=GET uri=http://detectportal.firefox.com/success.txt?ipv6 filetype=text/plain fileclass=nil response_content_type=text/plain user=unknown ip= blockOnSxlFailure=false epoch=1651404626 time=12:30 wday=1 mcs_endpoint_id=-1
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace getPolicy()
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - checking if policy [Base Policy] matched
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - policy [Base Policy] added as a candidate
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace Scanning with categoryscanner
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - use action from policy [Base Policy]
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - scan result is [allow]
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace Scanning with filetypescanner
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - fileclass is nil; skipping filetype scan
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - scan result is [pass]
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - result: allow
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace   - use web monitoring from policy [Base Policy]
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::trace Result: action=allow policy=[Base Policy] reason=category mute_swa_log=false mute_allow_events=true
    2022-05-01T11:30:26.398Z [ 7084: 7184] D WebControl::PolicyEvaluator::determineResponseAction: memoryUsed=0 memoryPeak=0
    2022-05-01T11:30:26.398Z [ 7084: 7184] I page allowed: http://detectportal.firefox.com/success.txt?ipv6
    2022-05-01T11:30:26.398Z [ 7084:11124] I [scan] connection:0x277e7fa9330 url:http://detectportal.firefox.com/success.txt?ipv4 flowId:8345 decision:allowed
    2022-05-01T11:30:26.399Z [ 7084:11124] D Allowing access to clean content, uri 'http://detectportal.firefox.com/success.txt?ipv4'
    2022-05-01T11:30:26.399Z [ 7084:11124] I [scan] connection:0x277e7fa9810 url:http://detectportal.firefox.com/success.txt?ipv6 flowId:8346 decision:allowed
    2022-05-01T11:30:26.399Z [ 7084:11124] D Allowing access to clean content, uri 'http://detectportal.firefox.com/success.txt?ipv6'
    2022-05-01T11:30:26.408Z [ 7084:11124] I [check-ip] connection:0x277e7fa9330 ip:34.107.221.82 flowId:8345 decision:continue
    2022-05-01T11:30:27.239Z [ 7084: 7184] I [webengine] New connection 0x277e7fa94b0
    2022-05-01T11:30:27.240Z [ 7084: 7184] D Created context for flowId=8347
    2022-05-01T11:30:27.240Z [ 7084: 7184] I [webengine] New connection 0x277e7fa93f0
    2022-05-01T11:30:27.240Z [ 7084: 7184] D Created context for flowId=8348
    2022-05-01T11:30:27.240Z [ 7084: 7184] D Looking up IP: 127.0.0.1
    2022-05-01T11:30:27.241Z [ 7084:11124] I [check-ip] connection:0x277e7fa93f0 ip:127.0.0.1 flowId:8348 decision:continue
    2022-05-01T11:30:50.694Z [ 7084: 7184] I [webengine] New connection 0x277e7fa96f0
    2022-05-01T11:30:50.694Z [ 7084: 7184] D Created context for flowId=8363
    2022-05-01T11:30:50.695Z [ 7084: 7184] I [webengine] New connection 0x277e7fa9930
    2022-05-01T11:30:50.695Z [ 7084: 7184] D Created context for flowId=8364
    2022-05-01T11:30:50.695Z [ 7084: 7184] D Looking up IP: 127.0.0.1
    2022-05-01T11:30:50.695Z [ 7084:11124] I [check-ip] connection:0x277e7fa9930 ip:127.0.0.1 flowId:8364 decision:continue
    2022-05-01T11:30:59.504Z [ 7084: 7184] D  request disconnect flowId=7220 side=0 flags=589824
    2022-05-01T11:30:59.519Z [ 7084: 7184] D  request disconnect flowId=7220 side=1 flags=5
    2022-05-01T11:30:59.520Z [ 7084: 7184] D Got Pending Close flowId=7220 flags=1073741824
    2022-05-01T11:30:59.520Z [ 7084: 7176] D Erasing context for flowId=7220
    2022-05-01T11:30:59.520Z [ 7084: 7176] D Storing web flow journal event for 13295877833-7220. Number of certs stored: 0
    2022-05-01T11:30:59.520Z [ 7084: 7176] I [webengine] Closing connection 0x277e80700e0 for 'www.ft.com': request=367119b, response=923178b, lifetime=425592ms, firstResponse=25ms, businessLogicDelay=0ms, timeInCache=3ms, in=25ms, out=425591ms, l.eos=425576ms, r.eos=425592ms
    PS C:\>

  • You say:

     "SophosNetFilter.exe in Task Manager seems to have a stable Process ID number across incldences of the bug."  

    I suspect the PID to be the same when in the broken state as you perhaps refresh the page each time.

    It is my understanding that from the error state, if you close Firefox and re-open it, all is well for some time.

    What is the PID for SophosNetFilter.exe at this time when Firefox is restart and OK?

    Then you use the Firefox for a while without issue, then out of the blue it fails.  What is the PID of SophosNetFilter.exe then when it's failing?  Is it different?

    It maybe there are 2 issues here but I just want to rule out that the SophosNetFilter.exe process isn't restarting during the transition from OK to FAIL state when browsing.

  • SophosNetFilter.exe PID in Task Manager has been stable (7084) for at least the past hour I’ve been looking at it.

     

    It remains the same all the time - 

    - when I start Firefox

    - when Google works for a few mins

    - when Google fails

    - when I restart Firefox, Google works again

    (alternatively, wait a few mins in Firefox, without restarting, and Google works again).

  • Just to say I have given up and used System Restore to get back to my previous local Endpoint set-up.

    There is a thread here about a similar/ same(?) problem where a Sophos engineer says that a fix has been identified internally and rollout is a couple of months away (but this was 2 months ago). 

    community.sophos.com/.../sec_error_reused_issuer_and_serial-error-when-using-decrypt-https-websites-using-ssl-tls-in-eap-using-firefox

  • Thank you for this Sophos internal piece. I will share it with my Sophos Support case person.

  • Thanks for this, that would suggest that there could be 2 issues with the same outcome.  The case of the process restarting will be less common, all is well but could happen as the component is updated as mentioned.