Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 40 subscribers
  • Views 2369 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Block specific URL path on Sophos XG

Xuan Nam Pham

Hi, I'm brand new to Sophos and I'm experimenting with the web filtering capabilities. I have a test box set up and have basic filtering working for http and https. The categories I am denying in a rule are Anonymizers, Nudity, Sexually Explicit, Swimwear & Lingerie. The categories, I am denying in the rule with domain / keyword are www.facebook.com/hanhphucvagiadinh/ and facebook.com/hanhphucvagiadinh/.

In my testing I am still able to browse to www.facebook.com/.../, which I would like to be blocked. But I don't want to block all of facebook.com and it is correctly categorized as all Link. Is it currently possible to somehow block just this path at facebook.com? I've done some googling and haven't found a definitive answer.

The sophos version of firmware is v17, and I was enable Scan HTTP and decrypted HTTPS on the firewall rule. But result is not block this link

Please help me solve the problem



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Keyur

    Hello Keyur

    Thanks for watching and reply support for me, 

    I tried configuring the instructions of your link before posting this but the result did not block the link as I expected.

    I'm tried configuring web filtering with the firmware update V18, I need to import Certificate at client computer and enable scan HTTP and decrypt HTTPS. But firmware v17, I Don't show Certificate the same .

    However my customers use a lot of personal mobile devices and cannot install Certificate for all of them.

    Please help me soon

Children
  • 0 in reply to Xuan Nam Pham

    It is not possible.

    If you cannot decrypt the traffic, you cannot block URLs. 

    Take a look at the TLS Handshake process. There is one chance to check for the domain without the Decryption. After the TLS Handshake, the traffic is decrypted and not visible for XG. Hence it cannot block a specific URL.

    In the TLS Handshake, there is a SNI, which indicates the Domain, but not the URL. 

     

    More information: 

    https://community.sophos.com/kb/en-us/132997

     

    PS: All vendors are having this issue. 

    PS2: You could import the Certificate into the Mobile devices, but against personal device, you cannot block this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi LuCar Toni 

    Thanks for watching and reply to me.

    If I want configure Sophos XG to become a DNS server. Intended to create URLs records into a local IP to resolve the wrong domain name.

    Is this possible?

    This is just an idea of ​​mine

     

     

  • 0 in reply to Xuan Nam Pham

    You cannot specify a URL on his IP. 

    The Client will ask for "Facebook.com". 

    If you browser / or /Username, it is still facebook.com. 

    __________________________________________________________________________________________________________________

Unfiltered HTML