Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 24 replies
  • Answers 1 answer
  • Subscribers 43 subscribers
  • Views 22776 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[BUG] Web Filter blocking random categories

l0rdraiden

This is the web filter policy that I have applied to some firewall rules where I used the DPI engine

The web filter is blocking other random categories for no reason. This is the log

And example

2020-03-16 13:30:39Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="10" user="samsungtv" user_group="Clientless Open Group" web_policy_id="13" web_policy="" category="Content Delivery" category_type="Acceptable" url="d25xi40x97liuc.cloudfront.net/.../70a53108-c477-4e1e-be16-2b5f2cc987fe_320w.bif content_type="" override_token="" response_code="" src_ip="192.168.1.102" dst_ip="13.225.84.68" protocol="TCP" src_port="60076" dst_port="80" bytes_sent="661" bytes_received="0" domain="d25xi40x97liuc.cloudfront.net" exception="" activity_name="" reason="HTTP pipelined request encountered." user_agent="Ignition/1.0 (samsungtv, arm)" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1501110912" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

 

Why is this happening?



This thread was automatically locked due to age.
Parents
  • 0

    l0rdraiden,

    check the website via the Policy Tester under Diagnostic menu. Also, switch to Proxy mode and see if the websites are blocked.

    Regards

  • 0 in reply to lferrara

    The web filter blocks the same stuff the policy test allows. This is still the DPI mode. Anyway it's a bug no matter if with the web proxy works.

     

     

     

  • 0 in reply to l0rdraiden

    I have seen a similar issue -- scenario:

     

    XG Home firewall (v18 latest build) with an IPSEC tunnel to home office (happens to be a SG UTM, latest build).  Tunnel is up, traffic routes fine... for the most part.  ON the XG side a rule is configured to allow access from home office subnet to main office subnet, allow ANY -> ANY, NO web filtering enabled, NO IPS, NO App Control, etc..  Globally DPI is disabled (this was done later as a troubleshooting step).  Still... when Outlook starts on a laptop on the home office subnet, and it goes to port 80 on the mail server at the other end (the autodiscover, etc. traffic) the Web Content filter shows the following (some info redacted):

     

    2020-03-19 15:42:15Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="12" user="" user_group="" web_policy_id="0" web_policy="" category="" category_type="Acceptable" url="" content_type="" override_token="" response_code="" src_ip="IP_OF_LAPTOP_AT_HOME" dst_ip="EXCHANGE_2013_SERVER" protocol="TCP" src_port="65358" dst_port="80" bytes_sent="0" bytes_received="0" domain="" exception="" activity_name="" reason="HTTP parsing error encountered." user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="4070301696" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

     

    Using OWA to the same IP works fine, etc.  It's like the web filtering setting is being ignored on some firewall rules, and not entirely.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    See screenshots below of rule in question... since I'm sure that'll be asked :)

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    Can someone open a ticket?

    can you provide support or an answer for this issue?

    Thanks

  • 0 in reply to lferrara

    similar problem as brucekconvergent.

    Ticket #9771627

  • 0 in reply to BrucekConvergent

    BrucekConvergent said:

     

    XG Home firewall (v18 latest build) with an IPSEC tunnel to home office (happens to be a SG UTM, latest build).  Tunnel is up, traffic routes fine... for the most part.  ON the XG side a rule is configured to allow access from home office subnet to main office subnet, allow ANY -> ANY, NO web filtering enabled, NO IPS, NO App Control, etc..  Globally DPI is disabled (this was done later as a troubleshooting step).  Still... when Outlook starts on a laptop on the home office subnet, and it goes to port 80 on the mail server at the other end (the autodiscover, etc. traffic) the Web Content filter shows the following (some info redacted):

     

    2020-03-19 15:42:15Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="12" user="" user_group="" web_policy_id="0" web_policy="" category="" category_type="Acceptable" url="" content_type="" override_token="" response_code="" src_ip="IP_OF_LAPTOP_AT_HOME" dst_ip="EXCHANGE_2013_SERVER" protocol="TCP" src_port="65358" dst_port="80" bytes_sent="0" bytes_received="0" domain="" exception="" activity_name="" reason="HTTP parsing error encountered." user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="4070301696" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

    reason="HTTP parsing error encountered."

     

    It is having trouble parsing the data on port 80, thinking that it is not valid HTTP for some reason.

    When you say "Globally DPI is disabled" what do you mean?  You posted your firewall rule which indicates that you are using DPI not proxy.  If in the SSL/TLS inspection rules you set the SSL/TLS engine as disabled (use on for troubleshooting) it may be causing a problem with parsing some connections.

Reply
  • 0 in reply to BrucekConvergent

    BrucekConvergent said:

     

    XG Home firewall (v18 latest build) with an IPSEC tunnel to home office (happens to be a SG UTM, latest build).  Tunnel is up, traffic routes fine... for the most part.  ON the XG side a rule is configured to allow access from home office subnet to main office subnet, allow ANY -> ANY, NO web filtering enabled, NO IPS, NO App Control, etc..  Globally DPI is disabled (this was done later as a troubleshooting step).  Still... when Outlook starts on a laptop on the home office subnet, and it goes to port 80 on the mail server at the other end (the autodiscover, etc. traffic) the Web Content filter shows the following (some info redacted):

     

    2020-03-19 15:42:15Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="12" user="" user_group="" web_policy_id="0" web_policy="" category="" category_type="Acceptable" url="" content_type="" override_token="" response_code="" src_ip="IP_OF_LAPTOP_AT_HOME" dst_ip="EXCHANGE_2013_SERVER" protocol="TCP" src_port="65358" dst_port="80" bytes_sent="0" bytes_received="0" domain="" exception="" activity_name="" reason="HTTP parsing error encountered." user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="4070301696" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

    reason="HTTP parsing error encountered."

     

    It is having trouble parsing the data on port 80, thinking that it is not valid HTTP for some reason.

    When you say "Globally DPI is disabled" what do you mean?  You posted your firewall rule which indicates that you are using DPI not proxy.  If in the SSL/TLS inspection rules you set the SSL/TLS engine as disabled (use on for troubleshooting) it may be causing a problem with parsing some connections.

Children
  • 0 in reply to Michael Dunn

    First of all, the rule as shown in the screenshot -- you'll note NO web content filtering selected, DPI or Web Proxy, so the web content filter from either module should not be involved, but yet they are!  This is the rule referenced in the log snippet.  I've also tried disabling TLS/SSL inspection globally, and tried leaving it on with exceptions set.

     

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    Just a FYI for anyone who's monitoring this thread:  my issue (the TLS engine interfering in traffic flow even when it is "turned off completely") is resolve in v18 MR-1 (released today).  Give it a try.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent

    Have you done any progress?? I can easily reproduce the issue.

    I create an empty web filtering policy

    I apply it to the LAN WAN firewall rule for the PC I am using for testing

    I put this url in my browser https://pft-aresdev.rdatasrv.net/

    It gets blocked and the web filtering policy is empty

    2020-04-25 19:19:44Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" status="" fw_rule_id="6" user="" user_group="" web_policy_id="2" web_policy="" category="Games" category_type="Unproductive" url="pft-aresdev.rdatasrv.net/" content_type="" override_token="" response_code="" src_ip="192.168.1.30" dst_ip="10.40.255.246" protocol="TCP" src_port="53593" dst_port="443" bytes_sent="0" bytes_received="0" domain="pft-aresdev.rdatasrv.net" exception="" activity_name="" reason="" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="743776256" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

  • 0 in reply to l0rdraiden

    Hi,

    I am following this thread because I have the exact opposite issue a site which is correctly classified in not blocked.

    I have checked my default policy and it has a lot of block stuff in it which I don't believe I added. I will check the default on my test system which I haven't modified.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to l0rdraiden

     fw_rule_id="6"

    web_policy_id="2"

     

    Web policy 2 is Deny All.  What is firewall rule 6, is that the one you posted?  You can see the id # in WebAdmin (this is not the first column).  If it is hitting the wrong firewall rule, check your ordering and source/destination matching logic.  You can also try using the policy tester (see tab of the log viewer).

  • 0 in reply to rfcat_vk

    Hi rfcat,

    The default policy that comes out of the box has a lot of rules that are present but disabled (see status column), only the top two are enabled.  You have disabled them as well so for you this rule behaves as an Allow All.

  • 0 in reply to Michael Dunn

    Hi Michael,

    I reviewed my test XG and found

    1/. the default policy has two policies enabled

    2/. the default business policy has all policies enabled

    So in summary using the default web policies would block a lot of sites.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    rfcat_vk said:

    Hi Michael,

    I reviewed my test XG and found

    1/. the default policy has two policies enabled

    In the screenshot you provided, the last column that is "status" all the sliders are set to Off, and the "In Use" for the policy overall is 0, meaning you don't have it used by a firewall rule.

     

    Can you show me screenshot of - the web policy you are trying to hit, the firewall rule you are trying to hit, the list of all firewall rules, the detailed Log Viewer log, and the results of the Policy Tester for the source/destination.

  • 0 in reply to Michael Dunn

    Hi  Michael,

    you misunderstand my post, I was talking about the default policies in regard to this thread, because the poster was using the default policy and seeing blocked access to sites. I do not use the default policy in any of my web filters.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to rfcat_vk

    I had this issue as well and couldn't seem to fix it - For me the fix ended up being to run "set http relay_invalid_http_traffic on" from the Console (not ssh).

     

Unfiltered HTML