Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 14979 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with Webfilter not applying rules correctly

Maxmilian Boss

Hello Community.

 

I have a Problem with the webfilter in Sophos UTM 9.4. Since about a month we see a bug where our policy is not applied correctly. Like a AD User was put in a AD security group which has access to the internet by a policy for a test. We removed this user from the security group and even after manually synchronizing with the AD he is still able to connect to the internet. This is independent from which PC we try it.

A User added to the AD group for internet is blocked by the UTM. The integrated policy test states correct values for "blocked/not blocked" and which policy is being used.

 

Browsing through Groups and User in the AD through the UTM is presenting a correct image of our AD.

 

In the log the user who should not have access is listed in sais internet group, but the user who should have access is listed in no group.

 

Can someone explain this behaviour or guide me to workaround? I thank you in advance!



This thread was automatically locked due to age.
Parents
  • 0

    Hi Maxmimilian,

    Check which profile filters the user traffic through Policy helpdesk and verify if it is the same profile configured to do that.

    If the user group association is incorrect, verify the group association of the User in the AD. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thank you sachingurung.

    I already did that. The association is correct. The Policy Helpdesk states also the correct situation. But the webfilter still applies them wrongly ind the log. How can that be?

    What I forgot to mention was, that blocking of filetypes is also not working. The users can download all files like .exe...

    BTW: I see that I spelled my name wrong. Where can I change it?

     

    Here an example of a user who should have internet access:

    2016:10:25-14:56:42 xxxutm httpproxy[6972]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="172.16.1.213" dstip="" user="vkiebe" group="" ad_domain="xxx" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3520" request="0xe0723600" url="http://api.bing.com/qsml.aspx?query=w&src=IE-Address&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SSC&market=de-DE" referer="" error="" authtime="55" dnstime="0" cattime="97" avscantime="0" fullreqtime="2760" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="145" reputation="neutral" categoryname="Search Engines" reason="category"

     

     

    Example of the user who should not have access:

     

    2016:10:27-13:58:16 xxxutm httpproxy[11876]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="172.16.1.194" dstip="216.58.213.238" user="deru_scan" group="Sophos-Proxy-O4" ad_domain="LINKORTHO" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="463" request="0xe1331600" url="http://clients1.google.com/ocsp" referer="" error="" authtime="0" dnstime="0" cattime="90" avscantime="720" fullreqtime="31974" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" sandbox="-" content-type="application/x-x509-ca-cert"

     

  • 0 in reply to Maxmilian Boss

    I found something interesting in the changelog of UTM Version 9.407-3.

    : NUTM-2447 [Web] 36231: HTTP proxy policy matching with backend groups is sometimes not working.

    Seems like we still have this bug.

    Our SG 330 is up to date.

Reply Children
No Data
Unfiltered HTML