No block pages being displayed when sites not allowed just https error page

The current web protection/control component at the endpoint only replaces the page for HTTP traffic as it doesn't do any man-in-the-middle for HTTPS.  For HTTPS, the domain name being accessed is obtained from SNI record in the handshake and used for the cloud lookups.  This result s used as the basis for the allow/block action. Without this inspection, it's not possible to inject a replacement page,

As far as I understand it, there is a new endpoint web protection feature being developed which is due to go into an EAP reasonable soon.  That will have full SSL inspection and then will be able to present a block/warn page for HTTPS in the browser.

The XG firewall can man-in-the-middle HTTPS traffic and can therefore present the user with in browser messaging.

It is a little tricky even then, you might have a domain good.com, which is responsible for all the content, apart from one URL which presents say a banner add. If you block that one banner image from being fetched, would you want to replace then entire page with a block or just prevent an image loading for the add.  In this case it feels like a silent block for that one main resource is the right thing to do,  Of course there is quite a spectrum of use cases for that.

Hope it helps.

The current web protection/control component at the endpoint only replaces the page for HTTP traffic as it doesn't do any man-in-the-middle for HTTPS.  For HTTPS, the domain name being accessed is obtained from SNI record in the handshake and used for the cloud lookups.  This result s used as the basis for the allow/block action. Without this inspection, it's not possible to inject a replacement page,

As far as I understand it, there is a new endpoint web protection feature being developed which is due to go into an EAP reasonable soon.  That will have full SSL inspection and then will be able to present a block/warn page for HTTPS in the browser.

The XG firewall can man-in-the-middle HTTPS traffic and can therefore present the user with in browser messaging.

It is a little tricky even then, you might have a domain good.com, which is responsible for all the content, apart from one URL which presents say a banner add. If you block that one banner image from being fetched, would you want to replace then entire page with a block or just prevent an image loading for the add.  In this case it feels like a silent block for that one main resource is the right thing to do,  Of course there is quite a spectrum of use cases for that.

Hope it helps.

I had to learn from Sophos User930 recently that Intercept-X is not capable of presenting a meaningful block message with https sites.

https://community.sophos.com/intercept-x-endpoint/f/discussions/124493/blocked-https-websites-only-show-ssl_error_rx_record_too_long-when-web-control-is-enabled

I wonder why this has not been fixed. This is really old-fashioned and hard to explain to users that this is "works as designed". And this is a high price Enterprise product - in fact I cannot really believe it.

Today I had to learn that not even XG firewall is capable of presenting a block page when it blocks an application (not a website). In fact this "application" is just a website request.

https://community.sophos.com/xg-firewall/f/discussions/126014/xg-blocks-application-without-block-message-only-pr_end_of_file_error-or-this-page-can-t-be-displayed

Sophos is at low level when it comes to blocking websites.

As I say, keep an eye on the upcoming endpoint EAP releases. The main thing is it blocks all the bad stuff. All events are logged in the UI and to a log file. Also looking forward to the next version of web protection/control.

Unfortunately I am finding out that Sophos lacks the fit and finish of a truly enterprise product.  The stuff works, but the follow through is just not there.