ATP - turned it off and on and broke some parts of XG

Hi folks,

I  have been trying to workout an issue with my iPhone and my iPad. The iPadconectes to all applications without any issues, theiPhone fails to connect, with have the same CA installed.

I disabled ATP and HTTPS scanning, the iPhone then connected to the failing applications. Move the iPhone to less secure firewall and re-eanble https scanning and ATP on the mail firewall rule.

The results some logs no longer have any updated entries. None of the failing access which were caused by SSL errors according to the application s on theiPhone show in any logs. I have been investigating this for days and not found one denied access in the logs.

But having turned ATP on again, the applications on both devices are very slow and my MBP does not show any log entries.

I will restart the XG to see if that restores normality.

Ian

  • I restarted the XG and normal connection needs have returned and the iPhone now connects without any issues through a firewall rule with scanning disabled.

    ian

  • In reply to rfcat_vk:

    Found the cause of the missing log entries, I was checking something as part of a question asked in another thread and didn't restore ask the logging. Which is interesting if you have logging enabled on your firewall rules you automatically expect there to are log entries, wrong.

    Ian

  • Hi  

    Thanks for the feedback.Sending you PM for more detailing.

    Thanks,

    Rana Sharma

  • In reply to Rana Sharma:

    Hi Raan Sharma,

    I have relied to your PM.

    Update. Disabled SSL/TLS scanning in the advanced tab. Waited about an hour then disabled the ATP, the web browsing performance improved fro all devices. Enabled ATP and some sites take a very long time to load and also present SSL errors on the iPhone. Some sites load the summary page, but not the detailed report eg ABC news app (ABC.com.au). The website loads very quickly on the MBP.

    The apple app store does load on both the iPhone and MBP. but only after about a minute.

    I cannot find anything in the logs that point to what is causing the issue.

    Last time was an XG restart, but I will wait until you have had chance to investigate. Also the Sophos community pages take a long time to update.

    Ian

  • In reply to rfcat_vk:

    Hi lan,

    Thanks for your response. Let's plan the live debug session today.

    asked for some information over PM.

     

    Thanks,

    Rana Sharma.

  • In reply to Rana Sharma:

    Hi Rana Sharma,

    waiting on your response?

    Ian

  • In reply to rfcat_vk:

    Hi lan,

    Replied over there

    Thanks,

    Rana Sharma

  • In reply to Rana Sharma:

    Hi folks,

    Rana Sharma asked the Devs to investigate, as far as I can tell no-one has looked.

    My XG had basically become unworkable so I have restarted it and connectivity has returned to normal.

    Ian

  • In reply to rfcat_vk:

    Hi  

    This is just an update for the same. I have already done initial investigation and asked Dev team for more investigation on this as you are already part of that mail chain. 

    Please have some patience team will get back to you on the same mail chain.

     

    Thanks,

    Rana Sharma

  • In reply to Rana Sharma:

    Hi Rana Sharma,

    I have upgraded to the EAP 3 refresh 1 and conducted some extensive testing with ATP and I have disabled SSL/TLS. The issue with the ATP appears to have been fixed. A comment - the ATP does affect web site response times.

    I am still having issues with sites failing SSL/TLS security and there is nothing in the logs that I can see that relates to the failures. XG is doing something to the sites which is breaking the trust between end devices and the web server. I will add an exception for one site and see what happens.

    Ian

    Update - exception had no affect.

    Update 2 -  turning ATP off waiting awhile for more testing turning ATP back on, sites are slower to load, some sites giving ssl errors. Restart XG site connection speed impriove, ssl errors except for one of my ISPs.