Web Protection makes non-blocked domain time out

I'm having an odd issue with Web Protection causing a website to time out and never load.

The Web Protection log shows it passing the website.

 

Yet the website won't load. However, if I disable the Web Protection module, the website then loads. So it seems Web Protection is still interfering somehow.

Here's a packet capture of a session when I tried to load the site.

I tried whitelisting the domain in Web Protection, but the issue remains.

EDIT: I'm running UTM version 9.509-3.

  • Hi - your first post here - welcome to the UTM Community!

    Some web servers just don't like proxies, so you may need to skip the Proxy for this site although I had no problem with it loading completely.  Since this is a state government site, one would hope that they have excellent security, so you might try an Exception for antivirus before configuring a skip.  I would also try a different browser and/or a different PC.  Please let us know your result.

    Cheers - Bob

  • In my observation, most major websites have embedded components from unrelated sources.   I would check the web filtering logs for something getting blocked by category, and the intrusion protection logs for something getting blocked by IPS.   IPS blocks should also produce a webfilter log entry of timeout (502 if I remember correctly), but only after a delay of up to two minutes.   I don't think I have ever seen a timeout where the only statuscode is 200.

  • In reply to DouglasFoster:

    On further consideration, neither Bob's theory (AntiVirus) nor mine (IPS) fit your situation.   Since the connection is using https without inspection, these defenses would be inactive.

    Suggest you activate https inspection, and see if the additional logging gives you insight into the real problem.

  • In reply to BAlfson:

    Thanks for the welcome and the suggestions!

    I have the same issue accessing the site from another browser and another PC. The only difference is that a tracert from the one PC to the domain traces the request a number of hops before timeouts, while the other PC gets nothing at all (the former result matches a tracert directly from the UTM, incidentally).

    An antivirus exception didn't work, but adding the site to the Skiplist did allow it to load.

  • In reply to DouglasFoster:

    Thanks for the suggestions. Before switching to HTTPS scanning I didn't see anything else from the Web Filter, Firewall, or IPS logs.

    Below are the results from the Web Filter log after I switched HTTPS scanning from "URL filtering only" to "Decrypt and scan".

  • In reply to Usermin:

    If the "504" on oplates.com isn't resolved with an Exception for antivirus, skipping the Proxy is usually the only solution.

    Cheers - Bob

  • In reply to Usermin:

    I just noticed that you have several urls with a second url embededded in the query string.   There have been other discussions in this forum indicating that this causes problems for the webfilter.   If  you have support, check with them for a bug number and to get on the notification list if it is going to be fixed.