Google Ad Services still blocked

Hi, Volker, and welcome to the UTM Community!

Please show the two lines from the Web Filtering log.

Cheers - Bob

Hi Bob,

as requested the log entries from my post date regarding my user and "googleadservices.com".

As you can see, http is allowed while https is blocked. Under "Web Protection => Web Filtering => HTTPS" I just selected "URL filtering only" and the "Policy Helpdesk" tells me https is allowed.

2017:06:27-07:37:49 HOSTNAME eplog[9560]: id="0060" severity="info" sys="SecureWeb" sub="eplog" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="xx.xx.xx.xx" dstip="216.58.210.2" user="DOMAIN\user" statuscode="403" cached="0" profile="" filteraction="" size="0" request="" url="www.googleadservices.com/" exceptions="" error="" reason="category" category="154" reputation="trusted" categoryname="Web Ads"
2017:06:27-08:03:32 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="172.217.16.162" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"
2017:06:27-10:18:38 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="216.58.207.34" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"
2017:06:27-10:39:59 HOSTNAME eplog[9560]: id="0060" severity="info" sys="SecureWeb" sub="eplog" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="xx.xx.xx.xx" dstip="172.217.23.130" user="DOMAIN\user" statuscode="403" cached="0" profile="" filteraction="" size="0" request="" url="www.googleadservices.com/" exceptions="" error="" reason="category" category="154" reputation="trusted" categoryname="Web Ads"
2017:06:27-10:40:02 HOSTNAME eplog[9560]: id="0060" severity="info" sys="SecureWeb" sub="eplog" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="xx.xx.xx.xx" dstip="172.217.23.130" user="DOMAIN\user" statuscode="403" cached="0" profile="" filteraction="" size="0" request="" url="www.googleadservices.com/" exceptions="" error="" reason="category" category="154" reputation="trusted" categoryname="Web Ads"
2017:06:27-13:04:15 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="172.217.18.2" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"
2017:06:27-14:23:27 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="172.217.23.130" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"


Please show a picture of the Exception.  Also, I don't see a block of https in the log lines you show above.

Cheers - Bob

Hi Bob,

unfortunately you have to hover the www.googleadservices.com in order to see that those are https ... the forum converted the web addresses to real links on saving the post.

As you wished, here is the screenshot of my exception:

The regex expression is correct. The UTM validates it but just doesn't care ...

Volker, you're right that your configuration is correct and that it makes no sense that the blocks occur.  Is this V9.5?  In any case, I would get a ticket open with Sophos Support.

Cheers - Bob

I think it's not the webfilter. It is blocked from the pua (antivirus).
I try to make an autorisation on the puas.

I hope it would work...

One complication is that I can see from your logs "eplog".  The is a log coming from the Endpoint.

The UTM creates a configuration, sends to the the endpoint.
The endpoint applies the policy logic
The endpoint sends the logs to the UTM.
The UTM displays the logs.

From the logs it suggests that the exceptions are not being applied to the traffic by the endpoint.

Two things:

1) Make sure that the endpoint is receiving configuration updates from the UTM.  Can you make a policy change (like block search engines) on the UTM and prove that change occurred on the endpoint?

2) It might be that the RegEx isn't applied quite right on the endpoint.  Can you add another RegEx, just a bare "googleadservices\.com" ?

Update: it is neither an issue of Anti-Virus nor the Endpoint itself

It is simply the UTM with is incapable of exceptions for SSL URLs while in "Transparent Mode".

There is a little note at the end of the online help. (◔_◔)

Nevertheless it's a bug regarding the UTM itself and is escalated to global support.

It shouldn't be possible to have URLs listed in an exception while in "Transparent Mode" or the URLs must also be checked for Endpoints and not just the UTM exclusively.

If the UTM tries to access it's own Broker (HTTPS) and is in "Transparent Mode" it shouldn't be able to communicate at all with Sophos, but the predefined exceptions seem to work, but only for the UTM itself.

So someone at Sophos product development just didn't knew what he was doing. Also the Support told me to apply only IP adresses to the exceptions, as the online help states.

But in the case of "googleadservices.com" it's a dynamically changing IP address and not an DNS group and also no DNS Groups can be applied to exceptions.

And just for your amusement: try to think of an IP of a cloud provider: 1 IP with thousands of URLs and all kind of different services and categories.

So in conclusion: it is a BUG and Sophos must fix the exceptions to work on URL base in transparent mode or totally redesign the entire web interface of the UTM in order to provide only the functions currently working with the current code.

BR,

Volker

Hello Volker,

The UTM handles exceptions for SSL URLs in Transparent Mode just fine.  If it didn't we would have thousands of customers complaining.  Since right now we have one customer with a problem the likelihood is that you have a local issue due to your network or configuration. I hope that Support will be able to guide you through the problem.  However much we train them, however, there will be some support people that better than others.  This can also be complicated by the fact that UTM support and Endpoint support are two different groups, and where UTM controls endpoint is a area that neither side is well versed in.  :)

Based on what you have posted to the forums, I believe this to be an endpoint problem, not a UTM problem.  Now you have have told Support more, and therefore they may know differently, but from what you posted of eplog showing a block, it is endpoint.

Whereas I think it is highly unlikely that there is a UTM problem (or else we would hear more complaints), there are a fewer people using Endpoint with UTM, and problems with that setup are more possible.

Did you try changing the exception as I suggested?

Can you try one other thing.  Disable endpoint altogether (as a Windows Administrator, go into Services and stop all the Sophos8 services) and then try.

If endpoint is disabled (therefore you are in UTM only) and you are still blocked, I would like to see a copy of those logs.

Finally, can you please tell me if you have HTTPS scanning on or off?

Hi Michael,

as I mentioned on 29 Jun 2017 5:41 AM it's only "URL Filtering" not decrypt and scan.

Nevertheless I did some further research and both, Support Employee and UTM Online Help are incorrect.

As I stopped all local Sophos services on my computer and entered the UTMs IP and port into my proxy settings, everything works as expected.

So no error at all at the UTM, my bad. But the Endpoint is not able to make a HTTPS exceptions. The rules are applied, cause a HTTP request is working.

Also: I'm not using the UTM to control the Endpoints. The UTM transfers it's Web Protection config to the broker (if it is available; current downtime 43,66% over 14 days) and the broker is referenced in the Sophos Enterprise Console. No further configuration is done there.

So when an exception is made, using the given RegEx, the URL is available as http on the client but not as https.

So my conclusion would be, that there is an endpoint exclusive problem.

BR,

Volker