Youtube and Google bypass Web Filtering Profile Block once content is loaded in Chrome tabs

I've got a weird one here thats making my head spin.

Ill try to keep this simple using images.

So I have Web Filter Profiles, the below one is for the kids, it has the kids devices defined in "Allowed networks" to filter them in here, as you can see I have a bunch of Policies defined for certain times which allowed them to surf.

When they fall out of scope of these times, they fall to the Base policy with BLOCK ALL which has everything blocked:

 

So my aim here is simply to allow them to surf between certain times (time definitions exist as per the Policy names) and when they fall out of these times, they land up in the Block All policy which shuts them down.

 

This works and has been working all along until now for some reason. 

What I'm finding is if Chrome downloads youtube and google into its cache (eg the chrome browser has a tab with https://www.youtube.com loaded and a tab with https://www.google.com loaded) once the times are not allowed and BLOCK ALL takes effect, the tab that has the youtube player active can be used to watch video after video.

I also see that if I load up https://www.google.com I can search for anything I want, but clicking any results get blocked.

Flushing the browser cache and then attempting to establish a connection to https://www.google.com or https://www.youtube.com gets blocked.

Its almost like since the youtube player and google search page has been already downloaded into the webbrowser cache, that the searches and media streams bypass the webproxy until they get flushed and need to be re-downloaded.

 

I may be going about setting time limits here the hard and silly way, but I have not had any issues where youtube didnt get blocked (stream would stop) once the time limits ran out and it fell to the BLOCK ALL Policy.

 

Im hoping this makes sense, has anyone had any such experiences or does anyone have any advice?

 

Thanks much

 

Sheldon

  • As some extra information, watching the web filter live log, I don't see much traffic other than the occasional ad which gets blocked, while media is being watched outside of the allowed times (and new videos selected).

    Putting in a firewall rule based on the same time limits stops the videos and searching 100%, so I'm wondering if the traffic (maybe an established connection) is sliding under the proxy under these circumstances.

    I would simply build up a similar filter based on time via the firewall, but that's a bunch of rules vs having them all defined as policies in a single profile for the kids.

    Thanks much

    Sheldon

  • In reply to Sheldon Botha:

    Hi, Sheldon, and welcome to the UTM Community!

    Several years ago, Sophos "fixed" firewall rules so that they would break existing connections if a different time-based rule was in effect.  They didn't do the same for the hidden firewall rules created automatically by WebAdmin when you configure Web Filtering.  Thanks for trying that and posting about it here.

    In fact, you only would need the firewall rules for one minute after you change from a Filter Action allowing traffic to one blocking it.

    Cheers - Bob

  • In reply to BAlfson:

    Thanks for that information Bob, that now makes perfect sense why this is occurring.

     

    Would something like this be a issue I should report as a defect to Sophos, or do you know if they by default read the issues on this forum and have their QA reproduce and put the issue in the backlog?

     

    Thanks again

     

    Sheldon

  • In reply to Sheldon Botha:

    This is less a bug than a suggested improvement.  You can offer your suggestion at Ideas.

    Cheers - Bob

  • In reply to BAlfson:

    Thanks Bob, thats a big help!

     

    I've submitted the idea at:

    http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/17374954-change-web-protection-so-that-active-connections-g

     

    Appreciate your input and help!

     

    -Sheldon 

  • In reply to Sheldon Botha:

    Something interesting I found today.

    I read a post about a new protocol Google uses called QUIC in which they use both TCP and UDP for applications such as YouTube.

    So back to my issue, I thought let me try to setup a application control rule for YouTube and see if while it's active if I can watch videos.

    I created the rule and set it to active, opened my browser and indeed YouTube videos played, many of the thumb nails were greyed out but if clicked, the video played 100%.

    I went to the firewall and created a rule to reject UDP ports 80 and 443 for my host.

    I set this as active and restarted YouTube, I could not get any videos to play now with this firewall rule in effect.

    I disabled the firewall rule for UDP and tried again, YouTube once more worked even with the application control rule in place.

    I'm wondering since my son is using a Chromebook, if his sessions could have been taking the back door on UDP port 443 and thereby bypassing the web proxy.

    I'll let you guys know how this plays out.

    Thanks

    Sheldon

  • In reply to Sheldon Botha:

    I have recently found Chrome on windows 7 is doing the same thing.  It looks like Google is using UDP first to communicate and UDP is not processed by sophos for content filtering.  If you block 80 and 443 UDP in your outbound firewall rules it will force the browser to fail back to TCP and it will then be processed through your rules.

  • In reply to Stephen Crepeau:

    Thanks Stephen

     

    Yes so I found something else out that I did not know about Sophos UTM.... (correct me if im wrong)

    Apparently unlike most other firewall/UTM solutions I've used in the past, the Web Proxy comes first, before firewall rules....

    So if something goes to the proxy, it escapes the firewall rules, thus the firewall really is only to catch things escaping from the Proxy.

     

    So i got to thinking.....

    I created 1 rule for the "Children Devices" group for my son and allowed the services of "http proxy, NTP and DNS" to ALLOW (I dont even know if this is needed...)

    Next in line I created a firewall rule for "Children Devices" for ALL services as REJECTED

     

    I then tested this knowing that any protocols escaping the web proxy (such as UDP 443 here) will fall down to the REJECT rule since Rule 1 wont match, and get blocked.

    I repeated my test with an active youtube video in play, the time limit then occured to shut down traffic and GUESS WHAT....no longer could I reproduce the issue as I originally stated, about being able to click to new video's.

    I'll watch this over the long haul here, one more change I did (not sure if this will be of any benefit), I changed my Web Proxy Filter Action for the kids from "Allow all content, except as specified below" to "Block all content, except as specified below" and then defined what I wanted to Allow.

    Let me know any comments/thoughts here, I'm not 100% sure if Rule #1 is needed, or if it does not exist, that the firewall will get traffic to itself (LAN interface) for DNS or NTP and say "no" since these services are not specified as being allowed for the devices in question.

     

    Thanks guys!, really happy so far on this one, lets hope my facts are straight here, if so then we dont need to worry about making firewall rules with time limits to break connections for this scenario where I can use the firewall to open up ports to services as needed outside of web browsing which is controlled by the web proxy.

    -Sheldon

  • In reply to Sheldon Botha:

    You got it, Sheldon - see #2 in Rulz.

    Cheers - Bob

  • In reply to BAlfson:

    Speak of the devil Bob, thats actually one of the places yesterday that I linked to after coming across some older posts in the Astaro days on this :)

     

    Thanks much, think we have a good solution here now.

     

    -Sheldon

  • In reply to Sheldon Botha:

    Sorry, but I didn't get the trick. My network setup is a bit different. The UTM is behind the internet router because of 'phone over viop' issues: dsl router <-> utm <-> wlan acces point <-> clients. The webfilter is set up in transparent mode with user authentication via browser. The "Allowed Network" is internal LAN, the webfilter profile is connected with the user, who has a time limit for games within his profile. Last but not least I have configured firewall rules with the parameters shown by Sheldon's trick but with one exception: There is no DNS service configured. When I am looking into the live protocol only the 'internal LAN' packet filter rule is active, but not the 'Sheldon's" packet filter rules. What I did wrong?

  • In reply to Manfred Nefzger:

    We would have to look at the Edits of the firewall rule and the Web Filtering Profile, Manfred.

    Cheers - Bob

  • In reply to BAlfson:

    My configutation details are:

    In the base policy all categroies with illegal content and all categories with addictive potential ;-), like games, are blocked, all others are allowed.
    In the user's policy 'children-filter' the categories with addictive potential have a time contingent of 60 minutes.
    The time contingent is configured in 'Edit Filter Action' under 'Additional Options > Quotas'.
    Different to Sheldon's configuration the 'Time event' option is set to 'Always'/'Anytime' in both policies.

    Do I have to add the 'Children Devices' and the 'Internal LAN' network group to the 'Allowed Networks' on 'Network Services > DNS' or is it enough to add only the 'Internal LAN' network?

    Do I have to do the same on 'Web Filtering > Global' or not?

    Within the 'Web Filter Profile' I added the 'Children Devices' to the 'Allowed Networks':

    Default authentication goes via Browser.

    The Web Filter Profile 'Children' is assigned to the filter action 'children-filter':

    And last but not least the firewall rules:

    When I am looking on the Live Log of the firewall I only get entries for Packet filter rule #4. 'Log traffic' for #2 and #3 is enabled.

  • In reply to Manfred Nefzger:

    After further testing I can say that my configuration according to Sheldon's template was right. And this trick works well for youtube videos. I started an eleven minutes video and after ten minutes (time quota preset) the video stream got automatically blocked. But when playing the online game 'slither.io', after 10 minutes of gaming nothing happens. For analysing this different behaviour of the UTM 9, I compared the 'Web Filtering' live log records when streaming a youtube video with that ones when gaming of 'slither.io'. The sent streaming packages of a youtube video create a lot of requests, that are logged by the 'Web Filtering'. But 'slither.io' creates only a few requests when starting the game. Afterwards no further request is monitored by the 'Web Filtering'. So you have unlimited playtime, as long as you don't klick on the reload button of your browser. I am wondering where else the communication between 'slither.io' and the browser takes place. What is sure is that many requests are sent during the game, but I can't find them anywhere.

  • In reply to Manfred Nefzger:

    On the image with the 'Default Web Filter Profile' one detail is wrong. Therefore I upload again the right image. The 'Default authentication' must be activated for forwarding to the 'Children' Web Filter Profile.