We'd love to hear about it! Click here to go to the product suggestion community
I've got a client whose QuickBooks updates fail on an XG125 with XG OS 17.0.3 MR-3 unless we disable http scanning and IDS on the firewall rule. The firewall and web filter do not log any denies. I've also seen some odd behavior with streaming installs of Office 365 and Dropbox on this same firewall.
I had a similar problem. I added the following under Web->Exceptions as a URL Pattern Matching exception:
In reply to GaryChancellor:
This solution is also good for "payroll updates".
The only log entries were in the firewall under rule 0. No Web Filter denies.
I also had the same problem. What I want to know is why the F*@# is it not logging anything considering it is absolutely the root of the issue within Sophos. This is not the first time, it happens quite often that we are unable to determine why something isn't working only to find out Sophos doesn't log the action it is blocking. This needs to improve.
In reply to Alex Burt:
which log did you review? Logviewer - web and application? Also you might need to add exceptions in the applications policies. I was getting stuff blocked in web until I added an exception in application.
In reply to rfcat_vk:
Hi Ian -
Checked all logs thoroughly (Firewall, App filter, IPS, Malware, Web content, Web filter, etc) for all traffic in the given time period to& from the IP of the machine running Quickbooks, and nothing whatsoever showed as blocked, failed, denied, dropped, etc. All typical activity was being logged, but nothing regarding the blocking. This has happened with quite a few similar issues I've had in the past. The way I finally prove it is to either bypass the Sophos entirely, or more recently I have created a single physical interface on the Sophos with a separate network that is "wide open" with no policies or inspection on any traffic, and I patch the machine in to test. Magically the problems go away. It appears that there are some hidden rules or policies that result in silent drop without any logging. Nothing shows in reports generated either (tried anything relevant).
I have the exact same problem with XG125. Any ideas why nothing is logged. Did anyone find anything, its very annoying.
In reply to Ryan Homan:
I just had this problem occur on an SG-105 with the web filter exception rule for QB domainsrule in place. The web filter log showed blocked GETs from an Akamai address so it's worth trying to find that. You may have to SSH in to your XG and use grep since XG logging isn't as accessible as the SG UTM lgs.
I think that Ian is on the right track here. The Applications filtering has given me a world of hurt. It tends to block programs (Bitdefender, ChromeBook, etc) without any logging. My life is much simpler now that I've disabled it. Even if you move forward with the realization that you need to create exemptions, it can be a pain digging up the various domains to add for the various programs/apps that you need to exempt.
In reply to Casual_User:
depends on the level of security you are trying to provide? If you want to check for bad stuff you need to use the application function in conjunction with the web and https scanning.
Just wanted to say thanks tto @GaryChancellor for providing this solution.
I just recently had this issue where QB would fail getting Payroll updates with Error 15222. After about 6 hours & many attempts to resolve reference QB articles based on that error code, and also attempting to repair / uninstall / re-install QB software,I finally decided to look this up here. This solution was spot on. I applied the changes outlined by Gary and problem resolved.
P.S. What also led me to search here at Sophos for info on the issue, was that while attempting to re-install QB, the QB stub setup program would fail almost immediately while attempting to download the package (first you download the stub installer, then that program actually downloads the QB package to install...the stub program would download, but running it would fail in that it could not connect to QB servers). Once that started to occur too, I decided it was not an issue with the machine or QB installation.
Again thanks to Gary.
In reply to Lonnie Thibodeaux:
I am glad it was useful. I have had multiple scenarios with these over Office365, Microsoft Updates, QB Updates and others. Researching them is frustrating without any real information. I have a separate install on my laptop (paid for) that I use for testing. My clue was: it worked when I connected outside the network, but not on my Sophos protected network.
This is definitely one of the frustrating aspects of using HTTPS Decryption. I find often an application or website won’t work but there’s nothing in the logs that indicates an issue. In fact, it appears everything is normal. I basically just look for any URLs related to the application or website (web filter in the logs) and start adding them to a web exception until it starts working. There’s some applications I end up adding an entire category to get it to work.
I’ve created a page on the Sophos Wiki here to document the URLs that I know don’t work with HTTPS Decryption:
Would be a great place for the community to consolidate their findings (it’s editable by any user) to save other folks the hassle of having to troubleshoot.
at least for SG you need these lines with the additional HTTPS part.
XG may need it also but this solved the issue on SG
with the lines originally recommended it did not work.
My exception is now broken, was working until a couple weeks ago.
2020:08:06-10:20:34 httpproxy: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="X.X.X.X" dstip="X.X.X.X" user="" group="" ad_domain="" statuscode="416" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd0e18e00" url="http://qb28fgocdsp.quickbooks.com/ud/355051"