WhatsApp Issue with Web Protection

hello everyone 

 

when ever i turn on web protection for a rule users who can use internet through this rule can use whatsapp application on there phones or web whatsapp

i tried to make a workaround for web whatsapp and created a top rule that allow access to web whatsapp and turned off web protection and that solved web whatsapp problem 

now my problem is with the application it self it wont work until i turn off the web protection 

although i made exception for it in the PROTECT>Web>Exceptions and checked the log viewer and it is all green and all http and https scan & Decrypt  are turned off 

is there any solution for this issue ?

thank you 

  • In reply to Michael Ploch1:

    Can you please:
    Click Log Viewer
    Click the icon to go to detailed view
    Select the Module Web Filter.
    Reproduce the problem.
    The important thing is any red icon lines, and the context around them.  Please screenshot, copy paste, or download and attach the log.
     
    If there are no red lines, then just send whatever is there at the time the problem occurs.
  • In reply to Michael Dunn:

    I could log while the error/delay occured.

    Problem occured two times, please see below. There are NO red lines, but some entries right around the time the delay occurred. I am not sure what they tell me, or how to solve them. Logfile is clean as long as whatsapp runs smoothly. No idea why this temporarily works sometimes, sometimes not.

    If I deactivate my Web Policy error NEVER occurs. My policy at the moment only has a default "allow all" and a deny "url1, url2, etc.".

    I dont have any clue...

    Thank you in advance for any kind of help!

    community.sophos.com/.../log_5F00_whatsapp.xlsx

  • In reply to Michael Ploch1:

    No red lines means there was not a deliberate block, it does not mean there were not errors.

    See the lines that have status_code="502".  That's an error code.  Its either an error code that is generated by the WhatsApp server and being passed via the proxy, or it is one that the proxy itself is generating because it has a problem with the connection.

    The dst_ip looks fine and I suspect that pharming protection (the original thread, and something that is fixed) is not related.

     

    There are two courses of right now.  The first is to contact support and have them take a deeper look at your system, get debug level logs, etc.  That can better determine if there is a config issue, a code issue, or just a straight out incompatibility.

    The other is just say whatever and bypass the proxy for this type of connection.  Which you might need to do anyway based on the investigation.

    See https://community.sophos.com/kb/en-us/128173 section "Create a firewall rule for a website".

     

     

  • In reply to Michael Dunn:

    thanks a lot, Michael!

    Will try both ways you suggested. If both wont work I think I will contact support...

    Keeping you updated! Thanks a lot for assistance so far.

  • In reply to Michael Ploch1:

    hey

    i have contacted them yesterday and they replied to check log viewer and check if there is anything blocked by web protection filter

    and i have replied with there is not anything blocked and clarified all steps i took in attempt to solve the issue but still waiting for there answer

    please dont forget to feedback us with there reply

    thank you

  • In reply to Michael Ploch1:

    hello

    sorry for bringing this thread up again

    i was able to solve the problem one more time by add each category i want to block in separate rule inside the web policy

    once i did it the whatsapp application worked smoothly without delay

    try to do the same and let us know

    thanks

  • In reply to M.Hegazy:

    Interesting, I had the same issue withe Whatsapp I disabled the pharming protection created exceptions and allowed the ports it worked for a while then the problem reappeared as you all said the log viewer doesn't help at all with this problem it is not showing any problem or error

    I will try your method and let you know

  • In reply to Wadood:

    great

    try to do the same and let us know what happened

  • In reply to M.Hegazy:

    so I am not really making progress, thinking about opening a support case...

    If have tried everything I could imaginge but still could not make any progress. error still occurs as soon as I activate web protection.

    funnywhise those devices have a different error as soon as I deactivate the web policy, but that seems to be a different story.

    I really dont have a this complicated setup, i am really getting frustrated with that xg.  and obviously some of the solutions are working for some of us, but not for others... really confusing and log files do not help at all.

     

    anyone else making progress with that whatsapp piece of sh*t???

  • In reply to Michael Ploch1:

    It is the WhatsApp application doing HTTP requests to a WhatsApp server.  It may not be following normal HTTP standards.

     

    Can you try something:

    Go into the console (not ssh shell).  So in the menu choose (4 Device Console).

    show http
    set http add_via_header off
    set http relay_invalid_http_traffic on

     

    Try again.  If it is still broken, please revert the changes.

     

    Next thing would be to see if the problem is with other ports.  Are the ports listed here allowed through the firewall?

    https://www.quora.com/What-is-the-port-number-for-whatsapp

     

  • In reply to Michael Dunn:

    Michael, thank you in advance! Will try that step by step.

     

    How ist the console setting to be assessed in terms of security? I mean, filtering out invalid http traffic, if you dont, is this weaking security somehow?

    Thanks a lot Michael

    Getting back once I have testet both suggestions and found something new. Great forum support, thank you!

  • In reply to Michael Ploch1:

    It can potentially decrease security because that traffic cannot be scanned.  Basically traffic that is using port 80/443 must conform to the HTTP standard for us to be able to scan the traffic.  This setting is basically if there is non-HTTP traffic or malformed traffic does it get blocked or allowed.

     

    An example is a type of media streaming called icycast, not commonly used these days.

    The HTTP standard is the client sends GET http://somesite and the server responds with 200 OK.

    With an icycast, the client sends GET http://somesite and the server responds with 200 ICY.

    That response does not conform to the HTTP standard and is therefore not allowed.  Turning this global option on would allow it.

  • In reply to Michael Dunn:

    so just to be sure, in order to undo the changes i have to:

     

    show http
    set http add_via_header on
    set http relay_invalid_http_traffic off

     

    correct?

  • In reply to Michael Ploch1:

    Correct, that will set them back to their defaults.  Though it might now have been clear, when I wrote the original 

    show http

    that was so you could see and remember the currently set options before fiddling so you could return them back.

  • In reply to Michael Dunn:


    set http add_via_header off
    set http relay_invalid_http_traffic on

    it did not work, unfortunately, this morning i had the same circumstances.

     

    dumb question: if i allow services "all" in firewall rules, do I have to open specific ports additionally somewhere? just to ensure that I am doing it correctly...