Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Exceptions Not Working

We have 40+ XGs for our clients in MS Azure and now one of them wants to block most web activities, except for a handful of sites they use (slack, gitlab, google, and a bunch of others).  The problem is that Exceptions don't seem to work.  I have tried regex and just the simple domain names, no luck.

  1. Created a Policy
  2. Added a bunch of categories and stuff to it, with a default allow at the bottom.
  3. Created Exceptions, adding all the sites they wanted to use.
  4. Used Policy Test as well as created an actual Rule and all the sites are still blocked on the test machine.

What gives?  This firewall OS surprises me more and more every day.



This thread was automatically locked due to age.
Parents
  • NateP,

    make sure to check the scan http inside the firewall rule.

    Also on the web profile, you did select block only for http and not to https (locker icon).

    If you run the policy test, what it the result?

    Thanks

  • lferrara said:
    make sure to check the scan http inside the firewall rule.

    Thanks.  I was not aware of the HTTP vs HTTPS option in the policies.  I will give that a shot.  I also was trying to be careful of the scanning options in the rule during testing, since this is a live firewall.  We first turned this on in January (without the exceptions) and it put a ton of extra load the firewall to the point that VPNs were dropping.

  • Still no dice.  Tried policy test with HTTP and also HTTPS in the URL.

    In the exceptions I have just slack.com and also a regex of ^([A-Za-z0-9.-]*\.)?slack\.com

  • Hi NateP,

    Thanks for the screenshots.  I tested this on my side and it worked fine.  Is your slack exclusion in the same A Exceptions as your previous screenshots?  I suspect that the exception is not hitting.  Make sure that the exclusion is skipping policy checks and is turned on.

  • Hi  

    Yes, it's in the same list of exclusions, it was just truncated in the # more... list

     

     

    I just can grasp why it's not hitting.  Shouldn't exclusions be global across all policies?  It's hard to say, so far there are several things in the XG that don't make sense logically.  I'm just confused and under pressure from the client's info-sec team to get web access blocked, but didn't want to block everything and then whitelist from there.

  • ^([A-Za-z0-9.-]*\.)?slack\.com\.?/

     

    Shouldn't you have a \.?/ after the com

     

    Also do you have anyother rules that may be higher on the list blocking this?  Country Blocking?

    Respectfully, 

     

    Badrobot

     

  • I suspect the issue is with the AND statement for destination IPs going to private IPs.  In the policy tester we can see the destination IP goes to slack's public IP addresses.  Perhaps the exclusion was meant to be an OR statement?  In that case a separate exclusion would need to be made for those destination IP addresses.

Reply
  • I suspect the issue is with the AND statement for destination IPs going to private IPs.  In the policy tester we can see the destination IP goes to slack's public IP addresses.  Perhaps the exclusion was meant to be an OR statement?  In that case a separate exclusion would need to be made for those destination IP addresses.

Children
  • And you are the Winner, !

    I didn't know or think about this being an AND statement, I guess I assumed it was OR.  I unchecked that and now the policy checker allows the slack URL.  Looks like they may need some text in the UI or box to change the operators.

    THANK YOU!!!

  • Regarding AND versus OR.  It has always been built to do AND.  You can achieve an OR using two exceptions.

    We chose not to include a possibility of selecting AND / OR within the UI because both were already possible.

    I agree in the pop-up it does not really say so, only in the summary.

     

    Note:

    If you are allowing a large list of websites based only on FQDN, the recommendation is to use a URL group or a custom category, rather than an exception.  URL groups and custom categories are more code efficient in part because they are text string matches, but less specific because they are not RegEx.  Also because it is better to do it as a policy decision to allow rather than to policy decision to block with an exception to ignore that decision.

    https://community.sophos.com/kb/en-us/127270

  • Regarding AND versus OR.  It has always been built to do AND.  You can achieve an OR using two exceptions.

    We chose not to include a possibility of selecting AND / OR within the UI because both were already possible.

    I agree in the pop-up it does not really say so, only in the summary.

     

    Note:

    If you are allowing a large list of websites based only on FQDN, the recommendation is to use a URL group or a custom category, rather than an exception.  URL groups and custom categories are more code efficient in part because they are text string matches, but less specific because they are not RegEx.  Also because it is better to do it as a policy decision to allow rather than to policy decision to block with an exception to ignore that decision.

    https://community.sophos.com/kb/en-us/127270