This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with Webfilter not applying rules correctly

Hello Community.

 

I have a Problem with the webfilter in Sophos UTM 9.4. Since about a month we see a bug where our policy is not applied correctly. Like a AD User was put in a AD security group which has access to the internet by a policy for a test. We removed this user from the security group and even after manually synchronizing with the AD he is still able to connect to the internet. This is independent from which PC we try it.

A User added to the AD group for internet is blocked by the UTM. The integrated policy test states correct values for "blocked/not blocked" and which policy is being used.

 

Browsing through Groups and User in the AD through the UTM is presenting a correct image of our AD.

 

In the log the user who should not have access is listed in sais internet group, but the user who should have access is listed in no group.

 

Can someone explain this behaviour or guide me to workaround? I thank you in advance!



This thread was automatically locked due to age.
Parents
  • Hi Maxmimilian,

    Check which profile filters the user traffic through Policy helpdesk and verify if it is the same profile configured to do that.

    If the user group association is incorrect, verify the group association of the User in the AD. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Thank you sachingurung.

    I already did that. The association is correct. The Policy Helpdesk states also the correct situation. But the webfilter still applies them wrongly ind the log. How can that be?

    What I forgot to mention was, that blocking of filetypes is also not working. The users can download all files like .exe...

    BTW: I see that I spelled my name wrong. Where can I change it?

     

    Here an example of a user who should have internet access:

    2016:10:25-14:56:42 xxxutm httpproxy[6972]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="172.16.1.213" dstip="" user="vkiebe" group="" ad_domain="xxx" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3520" request="0xe0723600" url="http://api.bing.com/qsml.aspx?query=w&src=IE-Address&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SSC&market=de-DE" referer="" error="" authtime="55" dnstime="0" cattime="97" avscantime="0" fullreqtime="2760" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="145" reputation="neutral" categoryname="Search Engines" reason="category"

     

     

    Example of the user who should not have access:

     

    2016:10:27-13:58:16 xxxutm httpproxy[11876]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="172.16.1.194" dstip="216.58.213.238" user="deru_scan" group="Sophos-Proxy-O4" ad_domain="LINKORTHO" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="463" request="0xe1331600" url="http://clients1.google.com/ocsp" referer="" error="" authtime="0" dnstime="0" cattime="90" avscantime="720" fullreqtime="31974" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" sandbox="-" content-type="application/x-x509-ca-cert"

     

  • I found something interesting in the changelog of UTM Version 9.407-3.

    : NUTM-2447 [Web] 36231: HTTP proxy policy matching with backend groups is sometimes not working.

    Seems like we still have this bug.

    Our SG 330 is up to date.

Reply Children
  • In the Backend Group definition, instead of using the full Distinguished Name, try just the content of the CN= without CN=.  If the name of the AD Group has any spaces or characters other than alphanumeric or a dash, you may need to rename the AD Group.

    This was an old bug that might have come back.  Any luck with that approach?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello BAlfson.

     

    Do mean like this? I am in this AD group.

    Here the Log and a Screenshot from the Policy Test. Nothing changes. I still have internet access. I think that deleting the "CN=" should compromise the backend group or not?

     

    2016:10:31-08:54:52 xxxUTM httpproxy[11876]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="xxx" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2621" request="0xe0e3ac00" url="https://plus.google.com/" referer="" error="" authtime="12" dnstime="0" cattime="0" avscantime="0" fullreqtime="125" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions=""

     

  • Hi,

    PM me your exact name I will do the necessary changes as required.

    RUN adsiedit.msc on AD and verify if the exact Bind DN and Base DN is configured in the UTM for Active Directory server.

    Post a screenshot of the AD server configuration on UTM.

    Clear the authentication caches from Definitions & Users > Authentication Services > Authentication cache; and restart httpproxy, "/var/mdw/scripts/httpproxy restart"

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Maximillian, I would have only Sophos-Proxy-all-access in there and NOTHING else, getting rid of the full Distinguished Name and leaving only the content of the CN=.  That's the way I've done Backend Groups for at least 8 or 9 years.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello,

     

    after going through both of your solutions nothing has changed. I tested with a new AD-User Account and the sophos sync's every change correctly. But not for some users.

    Here is te picture of the AD-Config in the UTM.

  • Does your testing methodology take into account the fact that SSO caches authorization for five minutes?

    What do you see that makes you conclude that "the sophos sync's every change correctly" for some but not for others?

    Please show a picture of the Edit of the Backend Group that's not working correctly.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • UTM caches it for 5 Minutes? Thank you for the info. I tested it with a 10 minute time frame where I tried it multiple times on the client after syncing and clearing the "auth cache" and restarting the proxy like suggested.

    Here the screen.

    To be precise: An AD account, which was in this AD "sophos-proxy-O4" group at one time, is now only a member of "domain user" group but can browse the internet.

    An AD account, which was added to "sophos-proxy-O4", can't browse the internet. The policy test states the correct behaviour, but the result on the client is opposite.

  • Please show a line from the Web Filtering log where an access was allowed that should not have been.  If there is no line, check to see if 'Block access on authentication failure' is selected in the Profile.  If that still doesn't stop the trafic, you might want to disable the firewall rule created by the Installation Wizard allowing "Web Surfing" traffic, or at least remove HTTP from the Services Group.

    Although it's written for Standard mode, 98% of Configuring HTTP/S proxy access with AD-SSO also applies to Transparent mode.  You might review that KnowledgeBase article to see if there's something that comes to mind.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA