WhatsApp Issue with Web Protection

hello everyone 


when ever i turn on web protection for a rule users who can use internet through this rule can use whatsapp application on there phones or web whatsapp

i tried to make a workaround for web whatsapp and created a top rule that allow access to web whatsapp and turned off web protection and that solved web whatsapp problem 

now my problem is with the application it self it wont work until i turn off the web protection 

although i made exception for it in the PROTECT>Web>Exceptions and checked the log viewer and it is all green and all http and https scan & Decrypt  are turned off 

is there any solution for this issue ?

thank you 

  • In reply to Michael Ploch1:

    Service All basically means every port.  Effectively allowing Service All means the firewall starts allowing everything and no longer protects as a firewall should.

    Useful for debugging, horrible for security.  Its like getting a really expensive deadbolt for your front door and then leaving your door wide open.  :)

  • In reply to Michael Dunn:

    Thank you, then I'd been right. For testing purposes I moved all WiFi Clients into a separate VLAN with its own Firewall rule on that VLAN.  Therefore I allowed all services so unfortunately this does not seem to be my solution either.

    Michael, do you think this could be related to my VLAN Setup? According to my logs I also had some default Drops (rule ID 0) with "Could not assocate packet to any connection"

    Thank you for everthing so far.

    Additionaly: I am testing with our Aruba Access Points at the moment, using a SSID that does not support Roaming accross other APs. Maybe something happens to the session during roaming and Sophos stumbles upon that. Just to exclude the Aruba I'll give that a try. Keep you updated.

  • In reply to Michael Ploch1:

    My recommendation from Sept 1 still stands.


    1) You have done a bunch of work to diagnose.  It is very hard for people in the forums to diagnose.  It is easier for Sophos Support to since you can give them direct access to your system.  Raise a ticket and pester them.


    2) Use firewall rules to bypass the proxy just for these connections.  Create FQDN Host objects for all of the whatapp domains and then put in a high level rule the has them as the destination, service any.  Traffic that is not for WhatsApp still uses your regular firewall rule with web proxy.



  • Hi guys,


    That way i solved the problem of Whatsapp not working properly behind a Sophos UTM 9.x




    3. Add a new rule that looks like:  from "Internal Network" - service "whatsapp" - to "any"

        You drag and drop these three categories from the left side of the menu to the right side. "whatsapp" is a preconfigured setting provided by the Sophos UTM.

        Save it, activate it. 

        I use the transparent proxy mode. Pharming protection enabled.


    4. Add a new rule that looks like: from "Internal Network" - "TCP 5222, TCP 5223, UDP 3478" - to "any"

        That rule was key for making my setup work completely. Without, only chat worked but calls only between devices on my LAN.


    5. I´v added this rule but I am not 100% sure if it is really necessary after 4.):

        First, I did a static address mapping for my IOS devices as these are the only ones I use for Whatsapp video/ audio calls and chats. 
        I want only my IOS devices being allowed to use Whatsapp so that no attacker from outside could get through to my NAS, printer or any other devices not intended to use Whatsapp.

        Also, Whatsapp calls initiated from a device within my LAN should work to any other Whatsapp user, may he be on the web or in my LAN, too.

        Therefor I added a new rule that looks like: from "Any" - "whatsapp" - to: <here I selected all my IOS devices that show up in the left selection menu>


    6. ACTIVATE all these rules with the activation button!



    Whatsapp chats via webbrowser from my PCs work.

    Whatsapp chat now works fast, audio and video calls work from my IOS devices, too.


    Good luck and my you save a lot of time that I had to put in...

    BR Alex.

  • In reply to Alexander Weinbacher:

    I thought this was for XG, not UTM?

  • In reply to Jon Bruce:

    right, but it is the same config concept for XG and for UTM.

  • In reply to Alexander Weinbacher:

    Under the XG, there is nothing to drag and drop from the left side, there are no categories under network protection - firewall. There are categories under web protection.

  • In reply to Jon Bruce:

    What rules do you have set from LAN > WAN?  As in do you have an Any > Any rule, or do you have separate rules for http, https etc...


    You will need a rule for XMPP over SSL (5223), plus 5222 and 5228 TCP ports.



  • In reply to Michael Dunn:

    I finally, after months, solved the issue:


    Go to Web Protection -> Generall Settings -> HTTPS decryption and scanning and then UNCHECK "Block unrecognized SSL protocols"

    Somewhere I read about Whatsapp using invalid SSL. Thats the point here. Wished my firewall had more clear logfiles. Impossible to work with the logfile to solve this. Thats the sad point. The lucky point is, it is working :) :) :) Finally! ;)


    Works with pharming protection on, btw. And I dont need any exceptions. You can leave "Block invalid certificates" checked.