The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.


"Wanna" ransomware outbreak. Please see this Sophos article for advice on how to protect your organization. Immediate action recommended.

UTM Web Filter is Blocking everything except youtube

Ok so i'm new to Sophos UTM. i wanted to try it out before i commit.

I have it installed on a device with 4 nics. 2 nics are used to bridge the gap between Switch and Router and a 3rd is used for management.

Switch ---> UTM ---> Router

The bridge was setup as a ethernet bridge ip 0.0.0.0/24 and IPv4 Default gate is the ip of the router (192.168.10.1)

First Issue - Sophos Endpoint Live connect say it is disabled. If i remove the UTM from the bridge and only have management nic live with IP (192.168.10.8) Live connect works fine.

As soon as i turn the bridge on it fails to connect.

 

Second issue and more importantly. when i turn on Web Filter almost all websites are blocked. they either return network unreachable or host unknown. Youtube work fine

I have a firewall rule that is Any Any Any. I have tried the web filter with Any network, Internal network (192.168.10.0/24) and about every other way possible. As soon as i turn the Web filter off everything works.

I use open DNS on my router. I have tried leaving all UTM settings as defaults and setting OpenDNS in the UTM and forwarder. still nothing. 

 

any ideas?

  • Try here:

    https://community.sophos.com/kb/en-us/119360

     

    Go through it very carefully as it's easy to miss a part. Enusre the bridge is up and running prior to enabling any exotic part eg web filtering etc

  • In reply to Louis-M:

    thanks Louis-M. Thats the guide i initially followed. The only thing i have done differently is left the bridge IP as 0.0.0.0 which i read creates a seamless bridge. 

     

    Would there be any issues with my router not allowing DNS requests through when web filtering is on? 

     

    The bridge part is working fine as all my devices are going through the bridge to get internet access which works aslong as i dont turn web filtering on. 

  • In reply to Peter Evans:

    There shouldn't be. The web filtering only filters web browsing ports eg http (tcp 80), https (port 443)

    DNS (udp 53) shouldn't be affected. Are you suing the UTM's dns proxy for your clients?

    Try that to see if that makes a difference. Ensure that your client network is allowed to use the dns proxy. Put your forwarders in there and point them to your router or external dns servers.

    Far better to do it this way as the UTM dns proxy offers various protections.

  • In reply to Louis-M:

    Thanks for the help Louis-M.

     

    I removed my OpenDNS IPs from the DNS forwarders and left only my routers IP in there and i think its working. i only have one machine defined in the web protection as a test, will add the rest of my network later and see what happens.

  • In reply to Peter Evans:

    Have a look at the DNS best practices sticky on this forum. It's a good piece of info by a very knowledgeable person. I would always advise that internal clients either:

    1. point to an internal dns server and that dns server points to the UTM DNS proxy. The UTM proxy then points to external dns servers eg. opendns etc

    2. If no internal dns server, clients should point to the UTM proxy. The UTM proxy then points to external dns servers eg google, open dns

  • In reply to Louis-M:

    well i though i had sorted it but no such luck.

     

    In the sophos we protection > policy helpdesk.  if i have my web protection on and then test a website such as google.co.uk it comes back allowed. however if i try to get to google in a web browser i get network unreachable. I can successfully ping google.co.uk and it resolves the name. 

    so i'm guessing my DNS is ok as its resolving.

    My PC points to my internal DNS (router) 192.168.10.1   

    My router has OpenDNS 208.67.222.222 and 208.67.220.220 

    Web Protection off = everything works

    Web protection on = cant get to google. although strangely i can get to Youtube???? 

    On my UTM it doesnt matter what i have in DNS Global allowed networks, makes no difference. In the forwarders i have my internal DNS.

     

    Not sure what you mean about UTM proxy, i have it setup in full transparent bridge mode so no proxy. 

     

  • In reply to Peter Evans:

    I've never set up a bridge before so unsure. Do you have network services > DNS?

    If so, under global, you should include your internal network ie allow your internal lan clients to access the proxy

    Under forwarders, you should add your router IP (if it offers dns services) OR your external opendns servers in there (not your internal dns server)

    so:

    CLIENT DNS > UTM DNS > ROUTER DNS > OPENDNS or CLIENT DNS > UTM DNS > OPENDNS

    If you have an internal dns server (larger networks, not home networks) then:

    CLIENT DNS > INTERNAL DNS SERVER > UTM DNS > ROUTER DNS > OPENDNS or CLIENT DNS > INTERNAL DNS SERVER > UTM DNS > OPENDNS

  • In reply to Louis-M:

    Ye my setup is End device > Switch > UTM > router (with DNS)

    All my networks use my router as the DNS. And my router uses OpenDNS.

     

    ye Network Services > DNS

    In Global i now have my internal networks (they are VLAN1, VLAN40 and VLAN60)

    Under forwarders i have tried just my router (dns)   also tried just OpenDNS and tried both. 

    With my router in forwarders i can resolve names on my LAN and resolve names on the WAN e.g. google.co.uk so im guessing my DNS is working. however i cant get to google it says network unreachable. But as said above about the only website i can get to is youtube....

  • In reply to Peter Evans:

    ok a further update. if i turn on Web Filtering but dont filter https i can get to https sites.but cant get to any http sites.

  • In reply to Peter Evans:

    Thats strange. So dns is confirmed as working. Web access is confirmed as working too (without web filtering)

    So, my next stop would be to look at the web filtering live logs and try and access somewhere and see if it passes/blocks it.

  • In reply to Louis-M:

    ok heres one log where it is blocking. it resolves the IP so guess DNS is ok. strangely if i put the same URL into the policy helpdesk it says allowed...

    2017:05:19-20:18:24 update URID[8559]: T=8559 ------ 2 - Warning: EARLY TIMEOUT: dns context 0 has 5933 ms before it should time out\n
    2017:05:19-20:18:26 update httpproxy[8585]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x97d0600" function="connect_server" file="dns.c" line="1191" message="connect() on AF 2 socket to 173.230.139.54 failed: Network is unreachable"
    2017:05:19-20:18:26 update httpproxy[8585]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.10.11" dstip="173.230.139.54" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="85350" request="0x97d0600" url="www.emby.media/community" referer="" error="Network is unreachable" authtime="0" dnstime="1" cattime="0" avscantime="0" fullreqtime="2149" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" exceptions="auth" country="United States"
    2017:05:19-20:18:26 update httpproxy[8585]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9a3c000" function="connect_server" file="dns.c" line="1191" message="connect() on AF 2 socket to 173.230.139.54 failed: Network is unreachable"
    2017:05:19-20:18:26 update httpproxy[8585]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.10.11" dstip="173.230.139.54" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="85352" request="0x9a3c000" url="www.emby.media/favicon.ico" referer="www.emby.media/community" error="Network is unreachable" authtime="0" dnstime="1" cattime="0" avscantime="0" fullreqtime="1931" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" exceptions="auth" country="United States"

  • In reply to Peter Evans:

    It shows in there that the default filter action is blocking the website. Have you changed any of the filters or anything?

    Try this site:

    http://www.fastvue.co/sophos/blog/easily-evaluate-sophos-utm-using-full-transparent-mode/

  • In reply to Louis-M:

    mmm ye i can see the default filter action is blocking but in that filter everything is set to allow. if i change the base policy to use default filter block with everything set to block - then i can get to google but every website is blocked but instead of getting network unreachable i get a error saying blocked because of category yxz.

    i dont recall ever changing anything in the default filters.

  • In reply to Peter Evans:

    Hi, Peter, and welcome to the UTM Community!

    When you bridge the UTM, you must use 'Full Transparent' mode in Web Filtering.  I can't imagine that it's possible to leave the bridge without an IP and a default gateway and have the Proxy work.  Any better luck doing it as I suggest here?

    Cheers - Bob