Sophos XG v18 web filter and application bugs and firewall bugs, Eicar randomly blocked. Same story with commercial/appliance license?

I set my sophos XG appliance (third part HW, not Sophos) with all services activated, same as SSL, TLS, AV, WEB filter etc....

I set a web filter to block for example Phishing and Fraud.... Today I open the Reports page and I found never before:

 

-blocked web domains: fls-eu.amazon.com (Phishing and Fraud)

-blocked web applications: Amazon.com

-Amazon website opened in firefox on windows 10 pc anyway worked well (i think)

 

2 weeks ago after my first install was a pleasure going to download EICAR test files from http and https, all blocked, nothing arrived to clients and so no Norton Internet Security alerts while content blocked, cause it was not necessary.

Passed 2 weeks, no particular changes in the config: Sophos randomly blocks 3 downloads from that site and only from https urls. Forth file from https and all 4 from http always downloaded and blocked by Norton. Yes, I verified, files were completely downloaded and the content viewable (!!! If them were empty could be ok but this is not the case).

And Sophos warns and blocks.....LOL

 

Latest bug found in the rules and policies section, when editing a single rule in SCAN AND MAIL CONTENT when you clic on any SCAN IMAPS, POPS, no difference what port, you clic and Sophos says for example:

"Common ports missing from Services for IMAPS.Add Ports"

you clic on add ports and in services you can find the ports not already inserted. All well? NO

If you apply this change in the rule/policy the appliance stops ALL internet traffic!!!! WHY?

 

In the end, terrible log reporting and many information missing, where do you find detailed blocks for SSL/TLS? I researched for days....no way to find what Sophos blocks, solution? SLL/TLS turned OFF when I need to use some not completely supported apps on windows.

And what about the exclusion list? Is enormous plus the list che customer add cause there are many things work bad and you can say the fast way is turning off SSL/TLS inspection.

Ok Sophos, fast decryption with a minor loose of performance cause the simple way is EXCLUSION LIST.

 

I used Zyxel USG firewalls for ten years, not already tried new ATP series and never tried their SSL/TLS inspection, surely pure in performance but all firewalls I used from them were never unstable and buggy as Sophos!!!!! I tried Sophos for a trial and looking for performance improvements but if Home versions are the same as commercial versions, except for the cloud features.....let me say this is a bad start!

Really disappointed!

I was thinking to buy a xg135v3 with 3 years of total protect....in my area less then 4000 Euro. Surely not after this problems.

  • I'm not here to defend Sophos, but a lot of your issues sounds like configuration issues. Not Sophos XG issues.

     

    Stefanuz

    I set a web filter to block for example Phishing and Fraud.... Today I open the Reports page and I found never before:

     

    -blocked web domains: fls-eu.amazon.com (Phishing and Fraud)

    -blocked web applications: Amazon.com

    -Amazon website opened in firefox on windows 10 pc anyway worked well (i think)

     

    Did you actually found why It has actually blocked? Did you access the log viewer then It happen and saw the actual reason for it? Just appearing on the report page doesn't mean that much.

    I have a lot of traffic being blocked to *.amazon.com from my firestick, but just opening the Log Viewer and going to Web Filter and SSL/TLS Inspections show the exactly reason why It's being blocked.

    Example:

     

    Stefanuz

    2 weeks ago after my first install was a pleasure going to download EICAR test files from http and https, all blocked, nothing arrived to clients and so no Norton Internet Security alerts while content blocked, cause it was not necessary.

    Passed 2 weeks, no particular changes in the config: Sophos randomly blocks 3 downloads from that site and only from https urls. Forth file from https and all 4 from http always downloaded and blocked by Norton. Yes, I verified, files were completely downloaded and the content viewable (!!! If them were empty could be ok but this is not the case).

    And Sophos warns and blocks.....LOL

    "no particular changes in the config" I hate to be that guy, but this really sounds like a configuration issue from your part, looks like you made a separate rule with AV Scan only on HTTPS traffic and the HTTP traffic didn't had AV Scan on. Also, are you in v18 or v17.5? Are you using the Web Proxy or the new DPI Engine? Could you even show the Rule?

     

    Stefanuz

    Latest bug found in the rules and policies section, when editing a single rule in SCAN AND MAIL CONTENT when you clic on any SCAN IMAPS, POPS, no difference what port, you clic and Sophos says for example:

    "Common ports missing from Services for IMAPS.Add Ports"

    you clic on add ports and in services you can find the ports not already inserted. All well? NO

     

    I can't understand correctly, but are you saying when your creating/editing a rule for mail scanning; and click on to SCAN IMAPS/POPS It's not putting it on the Rule, One thing, you NEED to click on "Add Ports" after you select what you want to scan, So it puts inside the "Services" tab. If you don't do this while creating a new rule, It will be left as "ANY" Service, and of course, any Web/App Policy will be applied to all traffic in your zone.

     

    Stefanuz
    If you apply this change in the rule/policy the appliance stops ALL internet traffic!!!! WHY?

     

    There's no possible way of all internet traffic being dropped after creating a Scan Rule for POPS/IMAPS, when you select those Mail Scan options, It will only scan over those correct ports, such as SMTPS(25, 587), and so on. It will not affect any other traffic such as HTTPS (443).

     

    Stefanuz
    In the end, terrible log reporting and many information missing,

    That's only true if you compare it with other vendors such as Checkpoint or Forcepoint, most of the useful log can be found within the Log Viewer, It's just a bit of a "mess" to read it.

    But yes, the "Reports" tab is really bad.

     

    Stefanuz
    where do you find detailed blocks for SSL/TLS?

    If your in v18, you can find in the Log Viewer, inside SSL/TLS Inspection.

    The last option:

     

    Stefanuz
    And what about the exclusion list? Is enormous plus the list che customer add cause there are many things work bad and you can say the fast way is turning off SSL/TLS inspection.

    Pretty much only applications with Certificate Pinning will have to be excluded from the SSL/TLS Inspection, anything else that respects your CA will be decrypted.

    You will face huge issues with mobiles phones such as Android/IOS, but any computer on Windows/Linux/Mac, where you can import the CA, you will find almost no issues at all.

     

    Thanks!

  • In reply to Prism:

    Sophos XG v18 up and running.

     

    for the Amazon problem is right, that was the problem.

     

    in the lan to wan rule in the firewall I already checked "Scan HTTP and decrypted HTTPS". I use dual malware engine and first of the list is set to Sophos cause is mandatory as explained and the type of scan is set to batch. No way to block EICAR choosing single engine sophos and with both real time or batch scan. It never blocks.

    Solved this issue while activating "Use web proxy instead of DPI engine" and "Decrypt HTTPS during web proxy filtering" in the lan -> wan rule. Now all EICAR files blocked.

     

    I did this as you say "click on to SCAN IMAPS/POPS It's not putting it on the Rule, One thing, you NEED to click on "Add Ports" after you select what you want to scan, So it puts inside the "Services" tab" in the same lan to wan rule, then after confirmation clients in the lan side can't open any web site or going online with any windows apps.

     

    I know logging and where to watch but often while opening Uplay and Origin clients and hosting a multiplayer server the only thing I can see is "invalid traffic" tipical of ssl/tls errors...then watching to that section or others there is no trace of error/blocking details....logging is already active for any rule, malware, web filter, etc....

  • In reply to Stefanuz:

    Stefanuz
    for the Amazon problem is right, that was the problem.

    Good to know, lot's of IoT devices are horrible to deal with it, on any firewall.

     

    Stefanuz
    Solved this issue while activating "Use web proxy instead of DPI engine" and "Decrypt HTTPS during web proxy filtering" in the lan -> wan rule. Now all EICAR files blocked.

    Could you show the rule? Could you also open:  EICAR FILE > "http://www.eicar.org/download/eicar.com.txt" and go to the Log Viewer, inside Web Filter and search for that link? Just to know what exactly happen when you open it.

     

    Stefanuz
    then after confirmation clients in the lan side can't open any web site or going online with any windows apps.

    Could you also show this rule?

    I have two rules to scan mail on my XG, the first rule apply to all plain-text mail inside the LAN and VPN zone, the other also applies to encrypted mail but only in clients that have the certificate imported on.

    None of both rules is causing issues right now. Both are working as expected.

     

    Stefanuz
    I know logging and where to watch but often while opening Uplay and Origin clients and hosting a multiplayer server the only thing I can see is "invalid traffic" tipical of ssl/tls errors...then watching to that section or others there is no trace of error/blocking details....logging is already active for any rule, malware, web filter, etc....

     

    Could you show us the detailed log on it? Can you also show the "typical SSL/TLS errors". It can be those clients have certificate pining, and are killing the connection when they detect MITM.

    I've already faced a lot of issues with SSL/TLS Inspection on games, at the end I've created a SSL/TLS inspection rule to Don't Decrypt any traffic that matches "Games", most of the issues I had with steam and origin games where solved with that. (Using the new DPI Engine.)

  • In reply to Stefanuz:

    Hi,

    with the scanning issue you need to add a port using CLI, I will try and find the command. From memory the command only applies to SMTP/s ports.

    Next question, have you installed the XG CA on your devices which are having their mail scanned?

    If you are using the HTTP proxy then you should for ease of debugging have a seperate rule for email and normal http/s internet access.

    Ian