This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Protection makes non-blocked domain time out

I'm having an odd issue with Web Protection causing a website to time out and never load.

The Web Protection log shows it passing the website.

 

Yet the website won't load. However, if I disable the Web Protection module, the website then loads. So it seems Web Protection is still interfering somehow.

Here's a packet capture of a session when I tried to load the site.

I tried whitelisting the domain in Web Protection, but the issue remains.

EDIT: I'm running UTM version 9.509-3.



This thread was automatically locked due to age.
  • Hi - your first post here - welcome to the UTM Community!

    Some web servers just don't like proxies, so you may need to skip the Proxy for this site although I had no problem with it loading completely.  Since this is a state government site, one would hope that they have excellent security, so you might try an Exception for antivirus before configuring a skip.  I would also try a different browser and/or a different PC.  Please let us know your result.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • In my observation, most major websites have embedded components from unrelated sources.   I would check the web filtering logs for something getting blocked by category, and the intrusion protection logs for something getting blocked by IPS.   IPS blocks should also produce a webfilter log entry of timeout (502 if I remember correctly), but only after a delay of up to two minutes.   I don't think I have ever seen a timeout where the only statuscode is 200.

  • On further consideration, neither Bob's theory (AntiVirus) nor mine (IPS) fit your situation.   Since the connection is using https without inspection, these defenses would be inactive.

    Suggest you activate https inspection, and see if the additional logging gives you insight into the real problem.

  • Thanks for the welcome and the suggestions!

    I have the same issue accessing the site from another browser and another PC. The only difference is that a tracert from the one PC to the domain traces the request a number of hops before timeouts, while the other PC gets nothing at all (the former result matches a tracert directly from the UTM, incidentally).

    An antivirus exception didn't work, but adding the site to the Skiplist did allow it to load.

  • Thanks for the suggestions. Before switching to HTTPS scanning I didn't see anything else from the Web Filter, Firewall, or IPS logs.

    Below are the results from the Web Filter log after I switched HTTPS scanning from "URL filtering only" to "Decrypt and scan".

  • If the "504" on oplates.com isn't resolved with an Exception for antivirus, skipping the Proxy is usually the only solution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I just noticed that you have several urls with a second url embededded in the query string.   There have been other discussions in this forum indicating that this causes problems for the webfilter.   If  you have support, check with them for a bug number and to get on the notification list if it is going to be fixed.

  • As it happens, an exception for antivirus didn't allow the site to load, but skipping the proxy does.

    Thank you for the help.

  • DouglasFoster said:

    I just noticed that you have several urls with a second url embededded in the query string.   There have been other discussions in this forum indicating that this causes problems for the webfilter.

    Hmm, I see a query with a second URL sent to ratings-wrs.symantec.com. Is that what you were seeing?

    As far as I can see, the log says this was passed. Or am I missing something?