This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filtering not requiring authentication

Model: SG135

Firmware Version: 9.506-2

I'm not sure what I'm missing, but here is a breakdown of the issue I'm experiencing and how I have this unit configured.

When connected to the local private network, I am able to access the internet on my phone (Android with mobile data off) without authentication to Sophos.  The computers on this network all connect to the domain with Active Directory with the exception of a few Linux machines and the postage machine.  For these we created exceptions (Web Protection-->Filtering Options-->Misc-->Transparent Mode Skiplist)  I thought this was strange that I could access the internet without authentication, so I tried some other devices (iPads) and on those, Sophos requested a username and password to gain access to the internet.  That is what I would expect on my phone.  Thinking that maybe something is cached on my phone, I installed Ubuntu on a virtual machine.  This machine is also connected to our local private network.  I verified that it does in fact have a private IP on the network i'm referring to.  After installation was complete, I executed apt-get update to download any updates.  These updates come from http addresses so I would expect that these should fail as the Linux machine has not authenticated with Sophos.  Instead they download as they would without the firewall in place at all.  I look at the Web Filtering log and it indicates that the device is 3 or Linux and that the authentication method is 2 or Active Directory SSO.  How is that possible I never entered a username or password and this machine is not part of the domain.

I have also tested to see if the content filtering is working.  On my phone (still with mobile data off), I can open different firearm webpages.  On my PC I cannot, they are blocked as I would expect them to be.  So it seems that there are very mixed results as to if the end user will be prompted to authenticate or not.  I don't recall this being an issue prior to the latest update and the one or two prior to that.  Is it a bug?  I haven't seen any other mention of this behavior in the forum, so I think it's just me.

Here are a few lines from the Web Filtering Log:

 

2017:12:15-14:53:49 sophos httpproxy[5468]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.18.114.85" dstip="91.189.91.26" user="" group="" ad_domain="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe5138a00" url="http://us.archive.ubuntu.com/ubuntu/dists/xenial/InRelease" referer="" error="" authtime="3" dnstime="29788" cattime="52940" avscantime="0" fullreqtime="188024" device="3" auth="2" ua="Debian APT-HTTP/1.3 (1.2.19)" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States"
2017:12:15-14:53:49 sophos httpproxy[5468]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.18.114.85" dstip="91.189.91.26" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="102128" request="0xe5138a00" url="http://us.archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease" referer="" error="" authtime="0" dnstime="0" cattime="53885" avscantime="7792" fullreqtime="308825" device="3" auth="2" ua="Debian APT-HTTP/1.3 (1.2.19)" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" sandbox="-" content-type="text/PGP"
2017:12:15-14:53:49 sophos httpproxy[5468]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.18.114.85" dstip="91.189.91.26" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="102176" request="0xe5138a00" url="http://us.archive.ubuntu.com/ubuntu/dists/xenial-backports/InRelease" referer="" error="" authtime="0" dnstime="0" cattime="53831" avscantime="8043" fullreqtime="204227" device="3" auth="2" ua="Debian APT-HTTP/1.3 (1.2.19)" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" sandbox="-" content-type="text/PGP"
2017:12:15-14:54:51 sophos httpproxy[5468]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.18.114.85" dstip="91.189.91.23" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="101165" request="0xe51a7e00" url="http://security.ubuntu.com/ubuntu/dists/xenial-security/Release" referer="" error="" authtime="3" dnstime="940" cattime="182010" avscantime="61315" fullreqtime="1540871" device="3" auth="2" ua="Debian APT-HTTP/1.3 (1.2.19)" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" country="United States" sandbox="-" content-type="text/plain"

Some of the configuration of the unit is as follows:

A masquerading rule is set up for internal network to External

Firewall rule to allow the internal network access to anywhere through HTTP or HTTPS (country blocking is also on)

Any help is appreciated!

Thank you,

Justin



This thread was automatically locked due to age.