Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 11924 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

This site can’t be reached after Decrypt and scan function be enabled

Perry Pong

Hi,

When I start to the "Decrypt and scan" function in the firewall, some websites will have a error message.

This site can’t be reached

www.hotel-icon.com unexpectedly closed the connection.

Try:

  • Checking the connection
  • Checking the proxy and the firewall
  • Running Windows Network Diagnostics
ERR_CONNECTION_CLOSED

If I am switching back to "URL filtering only", the website is working again. Surely, the Local LAN Setting of proxy is using "Automatic".

After check the log, the website is "pass" at "Decrypt and scan" function. From this community, someone has the same problem as before but no result. Who can teach me how to fix it?

Log:

2018:12:14-11:49:06  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="101.100.216.166" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdf04a000" url="https://www.hotel-icon.com/" referer="" error="" authtime="0" dnstime="3" cattime="148" avscantime="0" fullreqtime="86089" device="0" auth="0" ua="" exceptions=""
2018:12:14-11:49:06  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="101.100.216.166" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe20cb800" url="https://www.hotel-icon.com/" referer="" error="" authtime="0" dnstime="1" cattime="49" avscantime="0" fullreqtime="87066" device="0" auth="0" ua="" exceptions=""
2018:12:14-11:49:06  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="101.100.216.166" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xde0f7800" url="https://www.hotel-icon.com/" referer="" error="" authtime="0" dnstime="3" cattime="75" avscantime="0" fullreqtime="77334" device="0" auth="0" ua="" exceptions=""

 

At the same time, I found that some free music websites can entry but can't play the music with java script.  Also, the log shows "pass".

Log :

2018:12:14-12:57:10 httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="54.39.176.86" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdf875000" url="https://www.bensound.org/" referer="" error="" authtime="0" dnstime="2" cattime="119" avscantime="0" fullreqtime="442144" device="0" auth="0" ua="" exceptions="" category="111" reputation="neutral" categoryname="Education/Reference"
2018:12:14-12:57:10 httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="54.39.176.86" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe188e000" url="https://www.bensound.org/" referer="" error="" authtime="0" dnstime="1" cattime="95" avscantime="0" fullreqtime="444409" device="0" auth="0" ua="" exceptions="" category="111" reputation="neutral" categoryname="Education/Reference"

Thanks , Thanks and Thanks



This thread was automatically locked due to age.
  • 0

    I would have expected to see something else in the logs.  What happens if you make an Exception for SSL scanning for ^https://www.hotel-icon.com/

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    When add to Exception for SSL scanning, it is work!!! 

    But the website "https://www.bensound.com" and https://web.whatsapp.com are not working in this "Exception" method, even it skips all checks.

    The "bensound" website can't play the music and "web.whatsapp" website can't generate the QR CODE or connect when the "Decrypt and scan" is enabled.

    (I already add a whitelist "^https?://[A-Za-z0-9.-]*\.whatsapp\.com/ws")

    here is the whatsapp Log:

    018:12:15-12:28:52 httpproxy[13789]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.77.192.196" dstip="31.13.95.63" user="" ad_domain="" statuscode="504" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2537" request="0xe1971000" url="https://web.whatsapp.com/ws" referer="" error="Timeout while reading response from Server" authtime="0" dnstime="0" cattime="116" avscantime="0" fullreqtime="61167990" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) WhatsApp/0.3.1649 Chrome/66.0.3359.181 Electron/3.0.0 Safari/537.36" exceptions="" reputation="trusted" category="122" reputation="trusted" categoryname="Instant Messaging" application="whatsapp" app-id="598"

  • 0

    Have you grabbed EVERYTHING from the source IP during that time period?   Most commercial sites use content from unrelated locations, and failure to access embedded content can cause problems also.   Without everything related to the source IP, you do not know if the secondary content loaded correctly or not.

    Normally, I see one of these:

    • Block with status 407 - authentication request.   UTM is asking the browser to provide user credentials.   This is normally satisfied by the browser, and a subsequent query passes, so it is only an error if the subsequent attempts always fail.
    • Block with error="connection refused".   The other end decided that it did not want to talk to you.   It may mean it could not negotiate an encryption configuration with UTM.  I have seen this recently with webservers that have dropped support for all of the older encryption configurations.
    • Block with error="".   UTM refused the connection because the server has problems with its certificate chain.   Usually a missing intermediate certificate.
    • Block with statuscode or error indicating a "timeout".    Check the IPS log to see if it blocked the webserver's reply.   Of course, it could also mean that the webserver is not longer reachable.
    • Block with an error message indicating a problem with category or reputation.   UTM is doing what you asked it to do.

    I do not think I have ever seen a status=200 and action=pass when the server has thrown an error.   That is why I think you are missing a log entry. 

  • 0 in reply to Perry Pong

    When you see statuscode="504", if an exception for SSL Scanning doesn't solve the problem, you will have to skip the Proxy for the access.  fullreqtime="61167990" is another indication that whatsapp isn't "happy" being proxied with scanning active - we also see exceptions="", so there's something amiss with any Exception you created for this access.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson said:

    When you see statuscode="504", if an exception for SSL Scanning doesn't solve the problem, you will have to skip the Proxy for the access.  fullreqtime="61167990" is another indication that whatsapp isn't "happy" being proxied with scanning active - we also see exceptions="", so there's something amiss with any Exception you created for this access.

    Cheers - Bob

     

     

    Hi Bob, 

    Where UTM sets to "skip the Proxy for the access"?

     

    Following is my setting:

    (Exceptions Setting)

     

    Error:

    (The QR Code can't be Generated)

     

    Log (From 09:41:17 to 09:44:58, all related to whatsapp):

    2018:12:17-09:41:17  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="169.60.79.31" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xca5e6000" url="w3.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="129" avscantime="0" fullreqtime="228510" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="neutral" category="122" reputation="neutral" categoryname="Instant Messaging"

     

    2018:12:17-09:41:18  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="169.44.82.118" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd3c34800" url="w4.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="88" avscantime="0" fullreqtime="184984" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="neutral" category="122" reputation="neutral" categoryname="Instant Messaging"

     

    2018:12:17-09:41:22  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="158.85.224.171" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe177d800" url="w5.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="114" avscantime="0" fullreqtime="217695" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="neutral" category="122" reputation="neutral" categoryname="Instant Messaging"

     

    2018:12:17-09:41:36  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="169.60.79.31" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdecb8800" url="w6.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="122" avscantime="0" fullreqtime="227099" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="trusted" category="122" reputation="trusted" categoryname="Instant Messaging"

     

    2018:12:17-09:41:53  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="169.60.79.31" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd20b0000" url="w7.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="75" avscantime="0" fullreqtime="215451" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="trusted" category="122" reputation="trusted" categoryname="Instant Messaging"

     

    2018:12:17-09:42:22  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="169.60.79.31" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe1faa000" url="w8.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="89" avscantime="0" fullreqtime="227029" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="trusted" category="122" reputation="trusted" categoryname="Instant Messaging"

     

    2018:12:17-09:43:01  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="169.60.79.31" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdb27c800" url="w6.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="143" avscantime="0" fullreqtime="227981" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="trusted" category="122" reputation="trusted" categoryname="Instant Messaging"

     

    2018:12:17-09:43:03  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="169.60.79.31" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe1ad1800" url="w7.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="81" avscantime="0" fullreqtime="253313" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="trusted" category="122" reputation="trusted" categoryname="Instant Messaging"

     

    2018:12:17-09:43:08  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="169.60.79.31" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdf874000" url="w8.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="81" avscantime="0" fullreqtime="281190" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="trusted" category="122" reputation="trusted" categoryname="Instant Messaging"

     

    2018:12:17-09:43:37  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="158.85.224.174" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdbe47000" url="w2.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="101" avscantime="0" fullreqtime="201452" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="trusted" category="122" reputation="trusted" categoryname="Instant Messaging"

     

    2018:12:17-09:44:09  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="169.60.79.31" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xda442000" url="w3.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="147" avscantime="0" fullreqtime="215269" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="neutral" category="122" reputation="neutral" categoryname="Instant Messaging"

     

    2018:12:17-09:44:58  httpproxy[13789]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.77.192.196" dstip="169.44.82.118" user="" ad_domain="" statuscode="400" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xddeb5000" url="w4.web.whatsapp.com/ws" referer="" error="" authtime="0" dnstime="0" cattime="145" avscantime="0" fullreqtime="202210" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" exceptions="ssl" reputation="neutral" category="122" reputation="neutral" categoryname="Instant Messaging"

     

     

     

    Thanks!

  • 0 in reply to Perry Pong

    Hi All,

    I success now! 

    After add all w(2-8).whatsapp.com to "Skip transparent mode destination hosts/nets". It will return to normal! Basically, I don't know Why!

  • 0 in reply to Perry Pong

    But I want to add every website one by one when it has "This site can't be reached" warning. I will crazy!

  • 0 in reply to Perry Pong

    Edit 2019-01-04: As darrellr points out below, this REGEX can be improved.  See MichaelDunn's post just below darrellr's for the preferred syntax. - Thanks, guys!

    To skip SSL scanning for WhatsApp, Perry, the only thing you need in your Exceptions is the following:

    ^https?://[A-Za-z0-9.-]*whatsapp\.com

    This means the match starts at the beginning (^), is either http or https (?) and has zero-or-more (*) combinations of all of the characters inside the brackets ([]).  That will include all of the individual ones you listed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thank you for your teaching about the symbol. It is helpful for me.

  • 0 in reply to Perry Pong

    UTM has multiple ways to specify an exception, and it is useful to learn all the options. 

    I do not like to use Regular Expressions unless absolutely necessary.  It is too easy to include matches that you do not want, or to exclude matches that you do want.   

    Most of my exceptions are at the organization level, as in this example, where you want to exclude *.whatsapp.com   For these situations, website exceptions can be used to eliminate the need for regular expressions:

    Go to Web Protection.. Filtering Options... Websites.

    • Click the [New] button
    • To exclude organizations:  Enter one or more domain names, such as "whatsapp.com", and check the box for "Include Subdomains"
    • To exclude specific host names:  Enter one or more FQDNs, and leave the box unchecked.
    • In the Website Tags box, create a new tag for "HTTPS Scanning Bypass" and verify that it appears in your selected tags list.
    • Save your changes.

    (This will actually create one object for each entry in the list, but you get to create them all at once.)

    Then Go to Web Protection... Exceptions...

    • Create a new exception
    • Check the box to exclude "SSL Scanning"
    • At the bottom, choose "Going to websites tagged as".   Use the folder icon to select the "HTTPS Scanning Bypass" tag that you created earlier.
Unfiltered HTML