Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 24 replies
  • Answers 1 answer
  • Subscribers 43 subscribers
  • Views 22781 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[BUG] Web Filter blocking random categories

l0rdraiden

This is the web filter policy that I have applied to some firewall rules where I used the DPI engine

The web filter is blocking other random categories for no reason. This is the log

And example

2020-03-16 13:30:39Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="10" user="samsungtv" user_group="Clientless Open Group" web_policy_id="13" web_policy="" category="Content Delivery" category_type="Acceptable" url="d25xi40x97liuc.cloudfront.net/.../70a53108-c477-4e1e-be16-2b5f2cc987fe_320w.bif content_type="" override_token="" response_code="" src_ip="192.168.1.102" dst_ip="13.225.84.68" protocol="TCP" src_port="60076" dst_port="80" bytes_sent="661" bytes_received="0" domain="d25xi40x97liuc.cloudfront.net" exception="" activity_name="" reason="HTTP pipelined request encountered." user_agent="Ignition/1.0 (samsungtv, arm)" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1501110912" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

 

Why is this happening?



This thread was automatically locked due to age.
Parents
  • 0

    l0rdraiden,

    check the website via the Policy Tester under Diagnostic menu. Also, switch to Proxy mode and see if the websites are blocked.

    Regards

  • 0 in reply to lferrara

    The web filter blocks the same stuff the policy test allows. This is still the DPI mode. Anyway it's a bug no matter if with the web proxy works.

     

     

     

  • 0 in reply to l0rdraiden

    I have seen a similar issue -- scenario:

     

    XG Home firewall (v18 latest build) with an IPSEC tunnel to home office (happens to be a SG UTM, latest build).  Tunnel is up, traffic routes fine... for the most part.  ON the XG side a rule is configured to allow access from home office subnet to main office subnet, allow ANY -> ANY, NO web filtering enabled, NO IPS, NO App Control, etc..  Globally DPI is disabled (this was done later as a troubleshooting step).  Still... when Outlook starts on a laptop on the home office subnet, and it goes to port 80 on the mail server at the other end (the autodiscover, etc. traffic) the Web Content filter shows the following (some info redacted):

     

    2020-03-19 15:42:15Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="12" user="" user_group="" web_policy_id="0" web_policy="" category="" category_type="Acceptable" url="" content_type="" override_token="" response_code="" src_ip="IP_OF_LAPTOP_AT_HOME" dst_ip="EXCHANGE_2013_SERVER" protocol="TCP" src_port="65358" dst_port="80" bytes_sent="0" bytes_received="0" domain="" exception="" activity_name="" reason="HTTP parsing error encountered." user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="4070301696" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

     

    Using OWA to the same IP works fine, etc.  It's like the web filtering setting is being ignored on some firewall rules, and not entirely.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    See screenshots below of rule in question... since I'm sure that'll be asked :)

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    Can someone open a ticket?

    can you provide support or an answer for this issue?

    Thanks

Reply Children
Unfiltered HTML