Sophos Firewall: How to troubleshoot "Website is Blocked/ Can't access a website" issue

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview
Error Codes
- 4×× Client Error
- 5×× Server Error
Troubleshooting

Overview

This article provides some of the basic steps a Sophos Firewall administrator can take while troubleshooting issues related to a Website being blocked or partially blocked.

Error Codes

It’s important to identify why a Website was blocked (completely or partially). Suppose you receive an HTTP error code that helps you understand what happened. I've listed some of the most common Client and Server error codes. The 4xx error codes mean that client requests contain bad syntax or can't be fulfilled due to an invalid or improper request. The 5xx error code means the server failed to fulfill a valid request.

4×× Client Error

400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required
408 Request Timeout
409 Conflict
414 Request-URI Too Long
415 Unsupported Media Type
416 Requested Range Not Satisfiable
417 Expectation Failed
429 Too Many Requests
431 Request Header Fields Too Large
444 Connection Closed Without Response

5×× Server Error

500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Gateway Timeout
505 HTTP Version Not Supported
511 Network Authentication Required
599 Network Connect Timeout Error

Troubleshooting

The first thing you should identify is Web Filtering is applied to the firewall rule, which allows/processes the traffic. You should be able to identify the Firewall rule by following this KBA Sophos Firewall: Monitor traffic using packet capture. Once the firewall rule is identified, please check whether a WebFilter policy is applied.

A) If a Web Filter policy isn’t applied, you should try to open the website from SSH of the XG. You can use a curl or wget command.

i.e. wget --no-check-certificate https://www.sophos.com or curl -v https://www.sophos.com

If the connection was successful, there's no issue from the ISP while connecting the website.
1. You should check the drop-packet-capture using this KBA Sophos Firewall: Monitor traffic using packet captureand find why it’s being dropped.
  In the Advanced Shell of Sophos Firewall, you could type drppkt host <hostname or ip-address-of-website> and port <web-site-port>
  for example,
  # drppkt host sophos.com and port 443
2. Check for any value in drop-packet-capture that might indicate an issue with the traffic.
3. If none of the above helps, please post the error screenshot and details on the Sophos Firewall community forum, or if you have a valid support license, create a case with Sophos Support.
If the connection wasn’t successful, it might be from ISP or upstream network devices, as connections from SSH are unfiltered and attempted from the active WAN port of the Sophos Firewall. Try changing the active internet gateway of the Sophos Firewall if it's feasible and see if the issue persists.

B) If a Web Filter policy is applied, please check if the Web Policy is configured to allow or block the request. Please refer to this KBA Sophos Firewall : Policy Tester.

If it’s shown as allowed in the Policy test tool, follow these steps:
1. Check the drop-packet capture for the traffic and discover why it’s being dropped.
2. Check for any value in drop-packet-capture that might indicate an issue with the traffic.
3. Do a TCPDUMP and see for any connection error from the web server.
4. If none of the above helps, please post the error screenshot and details on the Sophos Firewall community forum, or if you have a valid support license, create a case with Sophos Support.
If it shows as Not Allowed or Blocked, please allow the Website in the Web Filter policy or create an exception for the specific user/IP to allow access to the Website.

Edited TAGs
[edited by: Raphael Alganes at 7:55 AM (GMT -7) on 17 Sep 2024]