This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WhatsApp Issue with Web Protection

hello everyone 

 

when ever i turn on web protection for a rule users who can use internet through this rule can use whatsapp application on there phones or web whatsapp

i tried to make a workaround for web whatsapp and created a top rule that allow access to web whatsapp and turned off web protection and that solved web whatsapp problem 

now my problem is with the application it self it wont work until i turn off the web protection 

although i made exception for it in the PROTECT>Web>Exceptions and checked the log viewer and it is all green and all http and https scan & Decrypt  are turned off 

is there any solution for this issue ?

thank you 



This thread was automatically locked due to age.
Parents
  • M.Hegazy,

    create a web exception with this urls:

    ^([A-Za-z0-9.-]*\.)?whatsapp\.com
    ^([A-Za-z0-9.-]*\.)?whatsapp\.net
    ^([A-Za-z0-9.-]*\.)?50\.22\.19[2-9]\.
    ^([A-Za-z0-9.-]*\.)?50\.22\.2[0-5][0-5]\.

    ^([A-Za-z0-9.-]*\.)?whatsapp\.net\.?/

    Here the image. In my case works. I use decrypt and scan on my XG.

    Regards

  • Hi

    i solved whatsapp application issue yesterday

    i dont use "Any" as service

    the problem solved when i added whatsapp application ports and both of them were working till this morning

    but couple hours ago the QR code came to the surface again

    any idea why this strange behavior from the firewall??

  • Good point about the ports.  https://www.quora.com/What-is-the-port-number-for-whatsapp

     

    If that is not it, then:


    The problem could be something with web browsing (eg HTTP or HTTPS).  However it could also be DNS timeout or something on some custom ports it uses.  It can be hard to tell, especially since it is hard to packet capture on a mobile device.
     
    Are you doing HTTPS Decryption?  If you are, maybe the app does not like the CA.  You can try disabling it in the firewall rule or in an exception.
     
    If you temporarily put in a high level firewall rule for Source Any Destination Any Service Any with no malware protection or application or web policies (basically super wide open) does that resolve the issue?  If so, then start closing the rule to where is starts being slow.
  • Well after testing it, it was the pharming protection

    I disable it and all went well, I have applied all my web and application rules again and all working fine till this moment...

  • So, few days later, just to be sure thats a problem in my sophos I deactivated all firewall filters and pharming protection. Just had "scan http " option active. I never had the HTTPS scan option active. Do not need that at the moment. First have to get it working without that option to lower complexity.

    What shall I say, it just worked!

    As a next step I will reactivate setting by setting and see what happens. I will start with activating pharming protection and will see.

    I hop to drill down the problem within the next days. Depending on where it stucks, I will try to implement the ideas of the community I have heard so far..

    Thank you in advance, Michael

  • okay, five days have passed and I did not have any problems with pharming protection on... Now brave enough to turn on intrusion preventien for my firewall rule and see whats happening. getting back to you...

  • so I turned back on my Web Policy and the error occured again...

    Web Policy currently just has a default "allow all" and a rule that denies urlgroup with forbidden urls. ...

     

    interesting enough I additionally found out that in log files for the same time stamp the error occured the web policy allows a whatsapp-URL, please see screen attached.

    for the timestamps whatsapp worked as it should, NO entry in firewall web policy log does show up. Different ports are used for the activities in firewall log then.

    can you help to interprete those results with me? really would appreciate ;)

     

  • ahhh, this really is annoying..

    everything works perfectly if i disable my web filter policy.

    but this policy only contains the following rules (see screenhot)

    1: deny all links from url-group (www.example.com)

    2: default allow all

     

     

    how come that once I enable the web policy in my firewall whatsapp not running correctly anymore... that s*cks, to be honest. is it a bug or is the problem in front of my computer (i.e. me )

    would be really glad if someone can help me out of this!

    thank you

  • We use WhatsApp on our iPhones and it has worked fine for the past year (sending messages, voice calls and video chat). I didn't have to setup anything specific either to make it work.

    I'm currently on Sophos XG 17.1.2 (MR-2) and here's an overview of my setup:

    • Allow all LAN to WAN rule that sits at the bottom of my firewall rules.
    • Pharming protection is enabled.
    • The firewall rule that applies to the iPhones has Scan HTTP and Decrypt & Scan HTTPS selected with an IPS policy, Web policy and Application filter enabled.
    • IPS policy only looks for moderate, major and critical severity levels (1-3).
    • Web policy only blocks: Command & Control, Phishing & Fraud, Spam URLs, Spyware & Malware and Hacking.
    • Application filter blocks high and very high risk apps that can bypass the firewall or vulnerabilities (plus a few others).

    The only thing I can think of is I did setup a Web exception that skips HTTPS Decryption for a bunch of stuff (mostly because I don't want secure connections to certain sites being decrypted) that includes the "Online Chat" category, but this was done because I was having issues with another app. I also have the "Information Technology" category in this list (with a few others) because I was having issues with sending photos via iMessage unless I had this category skipping HTTPS Decryption.

    I realize this probably doesn't help too much but just thought I'd provide another data point. I've removed the "Online Chat" category and I'll see if it makes any difference but it sounds like your issue is with web policies and not necessarily HTTPS decryption and scanning.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • hey everyone 

    the problem came back one more time to the surface 

    :(

  • Sounds similar but not identical.

    One thing I had in mind: It always had been Android devices with that problem, no one used an iPhone...

    Any ideas? I am running out of ideas, logs dont show anything on this...

Reply Children
  • Can you please:
    Click Log Viewer
    Click the icon to go to detailed view
    Select the Module Web Filter.
    Reproduce the problem.
    The important thing is any red icon lines, and the context around them.  Please screenshot, copy paste, or download and attach the log.
     
    If there are no red lines, then just send whatever is there at the time the problem occurs.
  • I could log while the error/delay occured.

    Problem occured two times, please see below. There are NO red lines, but some entries right around the time the delay occurred. I am not sure what they tell me, or how to solve them. Logfile is clean as long as whatsapp runs smoothly. No idea why this temporarily works sometimes, sometimes not.

    If I deactivate my Web Policy error NEVER occurs. My policy at the moment only has a default "allow all" and a deny "url1, url2, etc.".

    I dont have any clue...

    Thank you in advance for any kind of help!

    community.sophos.com/.../log_5F00_whatsapp.xlsx

  • No red lines means there was not a deliberate block, it does not mean there were not errors.

    See the lines that have status_code="502".  That's an error code.  Its either an error code that is generated by the WhatsApp server and being passed via the proxy, or it is one that the proxy itself is generating because it has a problem with the connection.

    The dst_ip looks fine and I suspect that pharming protection (the original thread, and something that is fixed) is not related.

     

    There are two courses of right now.  The first is to contact support and have them take a deeper look at your system, get debug level logs, etc.  That can better determine if there is a config issue, a code issue, or just a straight out incompatibility.

    The other is just say whatever and bypass the proxy for this type of connection.  Which you might need to do anyway based on the investigation.

    See https://community.sophos.com/kb/en-us/128173 section "Create a firewall rule for a website".

     

     

  • thanks a lot, Michael!

    Will try both ways you suggested. If both wont work I think I will contact support...

    Keeping you updated! Thanks a lot for assistance so far.

  • hey

    i have contacted them yesterday and they replied to check log viewer and check if there is anything blocked by web protection filter

    and i have replied with there is not anything blocked and clarified all steps i took in attempt to solve the issue but still waiting for there answer

    please dont forget to feedback us with there reply

    thank you

  • hello

    sorry for bringing this thread up again

    i was able to solve the problem one more time by add each category i want to block in separate rule inside the web policy

    once i did it the whatsapp application worked smoothly without delay

    try to do the same and let us know

    thanks

  • Interesting, I had the same issue withe Whatsapp I disabled the pharming protection created exceptions and allowed the ports it worked for a while then the problem reappeared as you all said the log viewer doesn't help at all with this problem it is not showing any problem or error

    I will try your method and let you know

  • great

    try to do the same and let us know what happened

  • so I am not really making progress, thinking about opening a support case...

    If have tried everything I could imaginge but still could not make any progress. error still occurs as soon as I activate web protection.

    funnywhise those devices have a different error as soon as I deactivate the web policy, but that seems to be a different story.

    I really dont have a this complicated setup, i am really getting frustrated with that xg.  and obviously some of the solutions are working for some of us, but not for others... really confusing and log files do not help at all.

     

    anyone else making progress with that whatsapp piece of sh*t???

  • It is the WhatsApp application doing HTTP requests to a WhatsApp server.  It may not be following normal HTTP standards.

     

    Can you try something:

    Go into the console (not ssh shell).  So in the menu choose (4 Device Console).

    show http
    set http add_via_header off
    set http relay_invalid_http_traffic on

     

    Try again.  If it is still broken, please revert the changes.

     

    Next thing would be to see if the problem is with other ports.  Are the ports listed here allowed through the firewall?

    https://www.quora.com/What-is-the-port-number-for-whatsapp