Network rule strange behaviour

Hello,

 

On our XG125 we have a default LAN to WAN rule, any Host and any Service with only HTTP scanning, this rule is set at the bottom.

For some testing I want to have a network rule for one PC, this rule is set at the top and has a webfilter + application filter applied to it, So the rule is as follows:

 

Source: LAN, Device: TEST-PC (added as MAC-host)
Destination: WAN, Service: ANY
Web Malware and Content Scanning: Scan HTTP, Decrypt and Scan HTTPS, Block Google QUIC
Custom webfilter applied and custom appliction filter applied, webfilter and app filter is set to anyone

Installed the Sophos CA cert on the client and the client could indeed not access websites that I set in the web filter.

 

However, other clients on the network received a cert error on websites with HTTPS because it tries to decrypt and scan, but the sophos cert is not installed on other pc's.

From my understanding rules are read from top to bottom, so why is the rule not skipped by other clients besides TEST-PC? It seems that it skips the webfilter because other clients can browse the blocked sites set for TEST-PC just fine, but HTTPS decrypt is not skipped?

 
  • Hi,

    Please provide log viewer entries showing the traffic through your top rule.

    Ian

  • In reply to rfcat_vk:

    Hello Ian,

     

    Thank you for your reply.

     

    Rule 1 is the LAN-WAN rule any-any and Rule 5 is the special rule for the user.

     

  • In reply to TonV:

    Hi TonV,

    both rules are using the proxy.

    Please post expand versions of both rules as in screenshots.

    Thank you

    Ian

  • In reply to rfcat_vk:

    Sorry, do you mean the Open PCAP log?

  • In reply to TonV:

    Hi,

    no the actual firewall rules.

    Ian

  • In reply to rfcat_vk:

    Those are the rules, I noticed that even if I remove the https decrypt is still uses the sophos ssl as CA.

    BTW: maybe related I turned on micro app discovery.

     

     

  • In reply to TonV:

    Yep, it was the micro app discovery, if enabled it seems to be system wide, not only for the rule with HTTPS decrypt, which would better fit my needs to be honest.

     

    For reference:

     

    via Console type in system application_classification microapp-discovery off

     

    by default this is turned off.