Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 24 replies
  • Answers 1 answer
  • Subscribers 43 subscribers
  • Views 22779 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[BUG] Web Filter blocking random categories

l0rdraiden

This is the web filter policy that I have applied to some firewall rules where I used the DPI engine

The web filter is blocking other random categories for no reason. This is the log

And example

2020-03-16 13:30:39Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="10" user="samsungtv" user_group="Clientless Open Group" web_policy_id="13" web_policy="" category="Content Delivery" category_type="Acceptable" url="d25xi40x97liuc.cloudfront.net/.../70a53108-c477-4e1e-be16-2b5f2cc987fe_320w.bif content_type="" override_token="" response_code="" src_ip="192.168.1.102" dst_ip="13.225.84.68" protocol="TCP" src_port="60076" dst_port="80" bytes_sent="661" bytes_received="0" domain="d25xi40x97liuc.cloudfront.net" exception="" activity_name="" reason="HTTP pipelined request encountered." user_agent="Ignition/1.0 (samsungtv, arm)" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1501110912" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

 

Why is this happening?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    The web filter blocks the same stuff the policy test allows. This is still the DPI mode. Anyway it's a bug no matter if with the web proxy works.

     

     

     

  • 0 in reply to l0rdraiden

    I have seen a similar issue -- scenario:

     

    XG Home firewall (v18 latest build) with an IPSEC tunnel to home office (happens to be a SG UTM, latest build).  Tunnel is up, traffic routes fine... for the most part.  ON the XG side a rule is configured to allow access from home office subnet to main office subnet, allow ANY -> ANY, NO web filtering enabled, NO IPS, NO App Control, etc..  Globally DPI is disabled (this was done later as a troubleshooting step).  Still... when Outlook starts on a laptop on the home office subnet, and it goes to port 80 on the mail server at the other end (the autodiscover, etc. traffic) the Web Content filter shows the following (some info redacted):

     

    2020-03-19 15:42:15Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="12" user="" user_group="" web_policy_id="0" web_policy="" category="" category_type="Acceptable" url="" content_type="" override_token="" response_code="" src_ip="IP_OF_LAPTOP_AT_HOME" dst_ip="EXCHANGE_2013_SERVER" protocol="TCP" src_port="65358" dst_port="80" bytes_sent="0" bytes_received="0" domain="" exception="" activity_name="" reason="HTTP parsing error encountered." user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="4070301696" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

     

    Using OWA to the same IP works fine, etc.  It's like the web filtering setting is being ignored on some firewall rules, and not entirely.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    See screenshots below of rule in question... since I'm sure that'll be asked :)

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    Can someone open a ticket?

    can you provide support or an answer for this issue?

    Thanks

  • 0 in reply to lferrara

    similar problem as brucekconvergent.

    Ticket #9771627

  • 0 in reply to BrucekConvergent

    BrucekConvergent said:

     

    XG Home firewall (v18 latest build) with an IPSEC tunnel to home office (happens to be a SG UTM, latest build).  Tunnel is up, traffic routes fine... for the most part.  ON the XG side a rule is configured to allow access from home office subnet to main office subnet, allow ANY -> ANY, NO web filtering enabled, NO IPS, NO App Control, etc..  Globally DPI is disabled (this was done later as a troubleshooting step).  Still... when Outlook starts on a laptop on the home office subnet, and it goes to port 80 on the mail server at the other end (the autodiscover, etc. traffic) the Web Content filter shows the following (some info redacted):

     

    2020-03-19 15:42:15Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="12" user="" user_group="" web_policy_id="0" web_policy="" category="" category_type="Acceptable" url="" content_type="" override_token="" response_code="" src_ip="IP_OF_LAPTOP_AT_HOME" dst_ip="EXCHANGE_2013_SERVER" protocol="TCP" src_port="65358" dst_port="80" bytes_sent="0" bytes_received="0" domain="" exception="" activity_name="" reason="HTTP parsing error encountered." user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="4070301696" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

    reason="HTTP parsing error encountered."

     

    It is having trouble parsing the data on port 80, thinking that it is not valid HTTP for some reason.

    When you say "Globally DPI is disabled" what do you mean?  You posted your firewall rule which indicates that you are using DPI not proxy.  If in the SSL/TLS inspection rules you set the SSL/TLS engine as disabled (use on for troubleshooting) it may be causing a problem with parsing some connections.

  • 0 in reply to Michael Dunn

    First of all, the rule as shown in the screenshot -- you'll note NO web content filtering selected, DPI or Web Proxy, so the web content filter from either module should not be involved, but yet they are!  This is the rule referenced in the log snippet.  I've also tried disabling TLS/SSL inspection globally, and tried leaving it on with exceptions set.

     

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    Just a FYI for anyone who's monitoring this thread:  my issue (the TLS engine interfering in traffic flow even when it is "turned off completely") is resolve in v18 MR-1 (released today).  Give it a try.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    Have you done any progress?? I can easily reproduce the issue.

    I create an empty web filtering policy

    I apply it to the LAN WAN firewall rule for the PC I am using for testing

    I put this url in my browser https://pft-aresdev.rdatasrv.net/

    It gets blocked and the web filtering policy is empty

    2020-04-25 19:19:44Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="6" user="" user_group="" web_policy_id="2" web_policy="" category="Games" category_type="Unproductive" url="pft-aresdev.rdatasrv.net/" content_type="" override_token="" response_code="" src_ip="192.168.1.30" dst_ip="10.40.255.246" protocol="TCP" src_port="53593" dst_port="443" bytes_sent="0" bytes_received="0" domain="pft-aresdev.rdatasrv.net" exception="" activity_name="" reason="" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="743776256" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

  • 0 in reply to l0rdraiden

    Hi,

    I am following this thread because I have the exact opposite issue a site which is correctly classified in not blocked.

    I have checked my default policy and it has a lot of block stuff in it which I don't believe I added. I will check the default on my test system which I haven't modified.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML