This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filter allow everything only block malware

Hello, 

 

I have the UTM set up at home and would like to turn the webfilter from block everything and allow exceptions to allow everything and block certain things. Basically all I need it for is to block malware on the network but I noticed that filtering blocks a ton of things that I need add exceptions for. I have the https scanning set up with certificates to all of the computers. Is there anyway to do this?



This thread was automatically locked due to age.
  • If i'm correct there's a category 'malware' that can be selected. If you just allow everything and only block malware in your web filtering profile, I think you are close already. When scanning and decrypting HTTPS, beware that you will keep maintaining exceptions because there are some sites that simply don't work with a "man-in-the-middle".


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • If you still need help, post a representative line or two from the Web Filtering log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Quick Fix:   You need to change your "Base Policy" from "Default Filter Block Action" to "Default Filter Action".

    This is found at "Web Protection... Web Filtering... Policies... 

    then click on "Base Policy" at the bottom of the window and change the property.

    BETTER:

    Clone this policy, study it, and tailor it to your situation.   "Malware" is not a well-defined thing.   90% of your protection comes from not going to sites that might be hostile, 10% comes from detecting hostile content in the replies from the web servers that you do contact.   Do you need content from Russia?   If not, then block it.   Do you need Weapons?   If not, then block it.

    URLs are assigned to categories (their purpose) and reputation.   I recommend configuring your policy to block reputation Suspicious and worse.   I also block categories associated with unethical activity, from school cheating to software piracy to pornography.  I also use country blocking, and create a web exception to exclude URL filtering when I need a specific site.

    You also need to know that your risk has almost nothing to do with which sites you request.   Most of your sites will include content from domains whose name you do not recognize.   Any site can be infected and attempt to redirect you to hostile sites invisibly.

    Finally, turn on IPS.  It inspects web replies in ways that the standard web proxy does not.   So you need both.

  • Yeah this is how I have it set up but that is exactly what is happening. Some sites/aps especially on iphone don't work with https scanning turned on ( even with SSL imported and root access turned on) without exceptions and one app called CardNav shows nothing in the firewall or webfilter log that is being blocked but it does not work. It is a banking app that lets you manage your cards and it says trying to establish a secure connection and then it says no internet available, I have to be on LTE to get it to go. UTM might be blocking a port?

  • Hello, 

    That is how I have the base policy set right now. The main issue seems to be the scan and decrypt that breaks websites especially on the mobile devices. 

     

    I will try your second suggestion and see I can tailor it to more accurate filters. But as for blocking malware, I really want the UTM to act as a firewall ( so I can block certain devices and such) and scan traffic and if malware is found block it. If it is unknown to it, I would like it to pass it through, I have local security on the endpoints and on the DNS side to handle that unknown files. The way my security is set up is as follows:

    DNS security = Comodo Dome

    Sophos UTM

    End point Security (with active sandbox to sandbox all unknown programs)

  • Https scanning is a whole different set of issues.

    Clients need to have the UTM root certificate installed.   Sites with certificate configuration errors will be blocked.    Suggest disabling this feature for now.