Sophos UTM9 timing out HTTP requests after 60 seconds

We've recently went live with Sophos UTM9 in our production environment. We're seeing now that some long running requests are being denied with 504 errors. Our application servers run on an apache/tomcat/ubuntu environment. Tomcat is configured with a 600 second timeout and prior to moving into the Sophos environment that was working perfectly fine. Why they take so long is not the point of this topic. We have a requirement to allow these long running http requests and it seems like Sophos is now preventing that from happening. Let me give you a little run down of what is enabled in Sophos right now:

- Firewall
- Intrusion Prevention
- Remote Access
- Web Application Firewall (Firewall Profile is set to Monitor)

In my research I came across many discussions on this forum talking about running : cc set http response_timeout 600. I've tried this and it's had no affect. I ran it as root and if I run cc get http response_timeout it returns 600 as it should. I've also tried running /var/mdw/scripts/httpproxy restart as recommend in one of those discussions. 

After these changes I'm still seeing 504's after 60 seconds.

Does anyone have any ideas?

  • (Moving this thread to the Web Protection forum.)

    Nolan, the only thing you can do for a 504 error is to create an Exception for SSL Scanning for the site(s) involved.  I usually include the Finance/banking, Health and Pharmacy categories in that Exception.  For a site that continues to timeout, you must skip the Proxy for the site.  This is done differently in Standard and Transparent modes.

    Cheers - Bob

  • In reply to BAlfson:

    Thanks for the response. I don't really know what to do given the response. Where do I create the exception? Under the web application firewall profile? I have an application server sitting in an internal load balancer that traffic gets routed to through Sophos. Customers can create there own processes and run them, sometimes they can take some time. How do I extend the allowed timeout in Sophos, or disable it and let our tomcat server handle the timeout. We have this firewall profile set to monitor, so the fact that it makes a difference at all concerns me. 

  • In reply to Nolan Brassard:

    Just to build a little more on that. These are all incoming requests, not outgoing. The response made it seem like outgoing requests are timing out but they are not. Someone clicks a button in our UI, it makes a request to the same server hosting the UI and that times out quicker then our Tomcat server is configured. This works perfectly fine if the machine is taken outside the Sophos network.

  • In reply to Nolan Brassard:

    You're right, Nolan.  When I found your post in the General Discussion forum, and saw a complaint (504) normally made about Web Filtering, I assumed that that's what you meant.  I'll move this thread to the Web Server Security forum.

    We would need to see the relevant section of the WAF log - probably 10-to-50 lines.  I suspect that your web server has some code that objects to SSL traffic being antivirus scanned.

    Cheers - Bob